Time to Update to Flex SDK 3.5a

If you are using a Flex SDK before 3.5a then it’s probably time to update. Flex SDKs before 3.4 have a security vulnerability. I believe the problem is actually in the HTML template, so when you update make sure that you also update the HTML templates that you are using. The Flex SDK 3.4 had the double responder bug. And the initial release of Flex SDK 3.5 had a bug with AIR’s ApplicationUpdaterUI. If you overlay your own AIR SDK on top of the Flex SDK then be aware that you will actually be overwriting the ApplicationUpdaterUI fix (comments in the bug report discuss how to deal with that).

So it’s time to move to the latest Flex SDK 3.5a!

Also, if you are using BlazeDS, LCDS, or FDS then it’s time to update that as well due to a security vulnerability that was published yesterday.

Flash Builder 4 Data Wizards with Java / Spring

UPDATE 1: Flash Builder 4, BlazeDS 4, and Spring 1.0.3 have all been release so you no longer have to use beta or nightly builds of these products. Use the production versions!

UPDATE 2: I’ve done a second part to this screencast that combines Flex 4, Flash Builder 4, Spring 3, BlazeDS 4, and Hibernate 3.

UPDATE 3: A Refcard on Integrating Spring 3 and Flex 4, which I co-authored, is now available! It provides a step-by-step tutorial for setting up everything I show in the video below.

Connecting a Flex 4 application to a Java / Spring back-end couldn’t be easier in Flash Builder 4’s new Data Wizards. I’ve recorded a screencast that shows how to set up the web application project, configure Spring & BlazeDS, and then build a Flex 4 application that connects to the Java / Spring back-end. Check it out and let me know what you think.

(Open full-size video in a new window)

My MAX 2009 Sessions

MAX 2009 is coming fast! It’s going to be another great event with tons of great speakers and after party fun. Here are my sessions this year:

Also Drunk on Software will be there filming some episodes.

So this is certainly a MAX you don’t want to miss! I hope to see you there!

Also check out the very cool MAX Widget (there are some funny facts about me in there):

Protected Messaging in Flex with BlazeDS and LCDS

UPDATE: BlazeDS 4 and LCDS 3.1 now have built-in support to disallow subscriptions to wildcard subtopics. Just set the following parameter on the messaging destination’s server properties:


You no longer need to use the ProtectedMessagingAdapter from the code examples below in order to protect your messages.

One of the great things about Flex is how easy it is to set up publish and subscribe messaging using BlazeDS, LCDS, or other various server technologies. Basically a Flex application can be either a Consumer of messages from the server, a Producer of messages to the server, or both. The channels that are used for the actual transport can vary dramatically depending on the needs. Here is a great blog that explains the different transports. No matter what transport / channel is used the API in Flex is the same. If you’d like to see how to use those APIs check out this video I recorded.

Many times with pub/sub messaging the messages should only be sent to a subset of the subscribers. There are two ways to achieve this in Flex – either using a subtopic or a selector. Subtopics allow simple dot separated expressions such as “stocks.ADBE” which would allow Flex clients to subscribe to only messages about the ADBE stock. A Flex client could also subscribe to wild card subtopics like “stocks.*” or “*”. The developer usually hard codes the subtopics (if any) that an app will use.

Subtopics seem like a great way to send point-to-point or point-to-group messages. To send a message to a particular client it’s as easy as setting the subtopic of the message to a special complex token – usually a generated UID or the server’s session ID. The subscriber then subscribes to a subtopic with that particular complex token and none of the other clients listening on that messaging destination will receive that message. Or maybe they can…

A malicious developer could easily determine the endpoint being used by an application. After discovering this they could also very easily create a Flex application that subscribes to the “*” subtopic of a messaging destination. Then the server would send them ALL of the messages on all of the subtopics for that destination. Pretty scary stuff. To see an example of this follow these steps:

  1. Open the test application
  2. Open the hacker application
  3. Click the send button in the test application
  4. Watch the message appear in the regularDestination output panel of the hacker application

Both panels use the same messaging API and same subtopic to send and receive messages. However the protectedDestination uses a customized Messaging Adapter that doesn’t allow subscriptions to subtopics containing a wild card (“*”). Here is the Java code for the ProtectedMessagingAdapter:

package com.jamesward;
import flex.messaging.services.messaging.Subtopic;
import flex.messaging.services.messaging.adapters.ActionScriptAdapter;
public class ProtectedMessagingAdapter extends ActionScriptAdapter
  public boolean allowSubscribe(Subtopic subtopic)
    return !(subtopic.containsSubtopicWildcard());

Here is an example of how to use the new adapter in the messaging-config.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<service id="message-service" 
        <adapter-definition id="protectedMessagingAdapter" class="com.jamesward.ProtectedMessagingAdapter"/>
        <channel ref="my-polling-amf"/>
    <destination id="protectedDestination">
        <adapter ref="protectedMessagingAdapter"/>

If you are using subtopics (or selectors) to protect messages from being sent to the wrong people then I highly recommend that you use my ProtectedMessagingAdapter or something else so that malicious hackers can’t snoop on private messages or send impostor messages. In my demo I run both the test app and hacker app on the same server but this can be done in other ways (such as proxy servers or local apps). Also authentication may not protect you because a malicious user might also be an authenticated user. So the only solution is to really protect destinations from subscriptions to wild card subtopics.

I hope this is helpful for those using messaging. Let me know what you think.

Blazing Fast Data Transfer in Flex

A while back I created the Census RIA Benchmark to illustrate the benefits of having both a high performance client VM and a binary serialization protocol. These factors combined lead to significantly faster data transfer and rendering for large datasets in rich Internet applications. Recently I created an Adobe TV video that walks through Census and how to use Flex and BlazeDS to take advantage of these benefits. Check it out and let me know what you think.

Note: If you run Census in Firefox 3 there is a bug with iframes causing the tests to not run until you click on the results panel on the right.

Download the Flex and Spring Integration Refcard

UPDATE: There is a new version of the Refcard available:
Flex 4, Hibernate 3, and Spring 3 Integration

DZone has just published a new Refcard “Flex & Spring Integration” written by Jon Rose and me. This is the second Refcard I’ve written. The first was “Very First Steps in Flex,” which was a few chapters from First Steps in Flex written by Bruce Eckel and me. Working on the Flex & Spring Integration Refcard was fun because I was able to learn more about the new Spring BlazeDS Integration project from SpringSource. I’ve been really impressed with how easy it is to integrate Flex and Spring together. Another great resource for learning how to integrate Flex and Spring is Christophe Coenraets’ Spring BlazeDS Integration Test Drive. It contains a bunch of great examples that will help you better understand how to get everything set up and working.

Let me know what you think about the Refcard. I hope it’s useful for you!

Take the Tour de Flex

Over the past few months Greg Wilson, Christophe Coenraets, and myself have been hard at work on a secret project. So today we are proud to announce the new Tour de Flex has just gone live! Tour de Flex showcases the capabilities of Flex, BlazeDS, LCDS, Adobe AIR, and Flash Player (now collectively called the Adobe Flash Platform).

Like the old Flex Component Explorer, Tour de Flex can be used to find components. But it goes way beyond just out-of-the-box Flex components. This first release contains 217 components and samples including popular Cloud APIs like Salesforce.com and Intuit, numerous community components from people like Doug McCune and Tink, commercial components from companies like ILog, and numerous other goodies. If you find something missing you can submit it!

Also in this release is an Eclipse / Flex Builder plugin which allows you to find components from inside Flex Builder!

We hope the Tour de Flex will provide an easy way for you to find components and see what is great about the Adobe Flash Platform. Give it a try and let us know what you think!