Using HTTP Authorization headers with Flash
Tuesday 9 May 2006 – Filed under: Flash – 4 Comments
Today, I needed a way to load XML data from a password protected source (user: testuser, pass: testpass), preferably without a login popup. So I have been poking around in the HTTP header specs and found a solution by using the Authorization field.
In essence it is - like most things - quite simple. I guess this has been done a thousand times before, but the Flash related sources on this topic were very sparse.
When accessing a password protected source on a server, that server will challenge the client with a so-called WWW-Authenticate field in the response header. The client then has to answer that challenge correctly and access is granted.
The W3C has written a lengthy document on this, describing the details of the authorization system. What I needed though, was a way to prevent the WWW-Authenticate request from happening and access the data immediately. This can be done by adding an Authorization field to the HTTP header when making the initial request.
Luckily, Flash supports custom HTTP headers through the addRequestHeader method (for both the XML and LoadVars class). Using this method, you can add the correct field to the HTTP header during the initial request, supplying the server with the right credentials, so the protected data is transferred immediately.
One thing to keep in mind is the way the content of the Authorization field is constructed. This depends on the server, but is usually based on the ‘basic’ scheme. This means that the full Authorization request is constructed like so:
BASIC username:password
Note that the username:password part has to be Base64 encoded. I have included some sample code below, demonstrating both the use of a Base64 encoding class and the .addRequestheader method of the XML object:
var pass:String = "testuser:testpass";
pass = Base64.Encode(pass);
var xmlReceiver:XML = new XML();
xmlReceiver.onLoad = function( success:Boolean ) {
trace("XML loaded: " + success + "\n\n" + this);
}
var xmlSender:XML = new XML();
xmlSender.addRequestHeader("Authorization","BASIC " + pass);
xmlSender.sendAndLoad("http://www.martijndevisser.com/xmltest/settings.xml", xmlReceiver);
Download the source files here (includes Base64 class).
Please bear in mind that:
- This solution does not work from a browser environment. It should work from a standalone executable though (that is what I needed). UPDATE - the problem with a browser environment is that the browser strips the “Authorize” field from the header, thus triggering the login popup to appear. I donot know the rationale behind this behaviour, but I experienced it in both IE and FF.
- Also, this code will not work when the server you send the request to uses an authorisation scheme other than
BASIC.
« previously: FLV Player 2.0 wishlist next: We won gold, again! »
4 Responses
Leave a Reply
Recent Articles
- New bike
- FLV Player 2.0.25 released
- No custom headers for Flash file upload. Why?
- Building AIR with FDT
- Adobe MAX 2007
- FLV Player 2.0 released
- The new Photoshop logo
- mProjector WindowResizer class
Advertisement
Categories
- Art & Design (4)
- Flash (37)
- FLV Player (9)
- Software (16)
- User Experience Design (3)
- Various (8)
- Work (6)
Tuesday 19 February 2008 at 16:04
Hi Martijn,
In your code example you say “BASIC” is that correct or should it be just “BASIC”?
I’m running into the same problem with an AIR application and i need to authenticate xml from HTTPS. I have found no way around this. Any thoughts on this?
Thanks,
Sidney
Tuesday 19 February 2008 at 16:40
Hi Sydney - yes, it should be “BASIC”, without the space after basic. I have corrected the sample, thanks for letting me know.
Regarding authenticating with AIR: can’t help you with that one, try posting on the Adobe forums in the AIR labs section, perhaps someone else stumbled upon the same issue and found a solution.
Monday 28 April 2008 at 11:38
I can’t seem to get this working with Flash CS3. I have BASIC Authentication up and running and have used Curl to confirm it works but every time I send a request from my Flash movie it returns the HTML of the Login page instead of the XML it should return.
I realize this post is old but one of the comments is from only a couple months ago.
Do you have any idea what I might be doing wrong?
Thanks,
BOb
Monday 28 April 2008 at 16:04
Well, I’ve kind of figured it out, at least using Flash player. One thing that was wrong was I was missing the space between “Basic” and “pass”. This goes directly against what is mentioned in earlier comments. Oh well, it works for me. Also, I was missing the Base64 class. I know next to nothing about Flash (I’m a Java geek) and thought Base64 was an included library.
So now it works in Flash Player … which is absolutely useless to me unless it will work in a browser. Does your comment still stand, ‘This solution does not work from a browser environment.’? I am hoping that since that was 2 years ago it would no longer be the case. But when I run this movie in FF2 or IE7 it does nothing.
Fantastic. The good folks at Acegi / Spring made a fantastic application that transparently secures your application, and because of this bug I have to trash it all and roll my own … again.
Or perhaps not?
Bob