Fixing File upload session issue with non IE browsers

I did a lot of learning this passed week about security and how to protect web applications written in HTML and Flex against various attacks. I would like to prepare an entire lecture on the subject but I thought I'd share one particular topic on my blog for now.

The topic I want to talk about is securing file uploads to a server via Flex. If you have added file upload functionality to a Flex application you have probably run into the issue of session information being lost during the upload. And this makes server-side security validation a big issue.

Note: This problem description and solution is using Java application server running BlazeDS or LCDS.

The problem

The problem occurs whenever you perform a file upload using Flex. I'm not going to write all the lines of code here, but basically the following lines of code will do the trick:

var req:URLRequest = new URLRequest();

req.method = URLRequestMethod.POST;

req.data = someData;

var fileReference:FileReference = new FileReference();

fileReference.upload( req, "/phoenix/FileServlet" );

Those lines of code will upload whatever file the user selected to the FileServlet servlet under the phoenix context. Under non-IE browsers this operation will occur in a different browser thread thus causing a different session to be created on the server-side. Thus the application session and upload session are different and are not sharing information. This is basically the root cause of the problem. This means that if you wanted to retrieve the login name of the user currently authenticated, you will get no value. So the following line of code will return NULL:

request.getRemoteUser();

Also if you try to validate that the user has the appropriate role using the standard request.isUserInRole( "UPLOAD_ROLE" ); method call, it will always return FALSE. Needless to say this is a critical issue from a security perspective as you need to know who is doing the file upload and if he is allowed to perform the operation. Without this information basically anybody can perform a file upload request and in some cases with malicious intent.

The solution

Since a new session is being created for the file upload operation, we need to tell the server to associate this session with our existing authentication session. We accomplish this in two parts, first by giving Flex our server session ID and then sending it back during the file upload. Here are the details of these two operations.

Sending back the server-session ID

Right after the Flex application initializes, call the remote server method to retrieve the server-session ID. In Java the remote method will look like this:

public String getSessionInfo()

{

return FlexContext.getFlexSession().getId();

}

Sending the session ID during the upload operation

Now that you have the session ID, you need to send it back with the call to the FileServlet along with the session cookie name. So from our sample above, the following line:

fileReference.upload( req, "/phoenix/FileServlet" );

Should be changed to:

fileReference.upload( req, "/phoenix/FileServlet;cookieName=" + sessionID );

Note: The variable cookieName needs to be the actual session cookie name you have configured for your Java web application (ex.: myappcookie).

So now, when the file upload operation occurs it will send back the session ID along with the file and so the server will associated that with your existing authenticated session. Now you can retrieve the login name of the currently authenticated user and validate that the user has the appropriate roles (see sample code above).

Flexcommon 1.2 released

I have just uploaded the latest version (1.2) of my FlexCommon library to its home on GoogleCode. This latest release contains the following changes:

• Compiled with Flex 3.2

I dont see this as a problem and should allow a wider audience to use the library.

• DataComboBox

This is an extension of the ComboxBox control. Lots of times we set the dataProvider and then want to set the selectedIndex based on some value withing the dataProvider. For this purpose I have created the DataComboBox control, which has two new properties: dataField and dataValue. The dataField property tells the control which property within each item of the dataProvider to examine and the dataValue property is the value to compare against. Once a match is found. the selectedIndex is set. See the documentation for an example.

• New StringUtils.isNumeric() method

New convenience method to determine if a string contains only numeric digits.

• Comes with en_US and fr_CA language bundles

All the error messages returned by validators are now contained with resource bundles: en_US (English) - the default - and fr_CA (French). You can of course create your own and if you wish to submit it to me I will include it!

Fixing the "unable to export SWC oem" error in Flash Builder

If you created a project using Flex Builder 3 and wish to upgrade it to Flash Builder 4, you might see the following error in the Eclipse "Problems" view when you attempt to compile for the first time:

unable to export SWC oem.

I read on several sites how to fix the problem but here is my little piece of details with step-by-step instructions:

1. Shutdown eclipse
2. Using your favorite text editor, open the .flexLibProperties file in the root of your project
3. Erase all lines between the <includeResources> tags and just replace with an empty version of that tag (e.x.: <includeResources/>)
4. Save updated .flexLibProperties file
5. Start eclipse
6. Use the clean and build options under the "Project" menu
   

And voila, your project now compiles under Flash Builder 4

Enjoy!

Open Source Week in Montreal (MonDev)

For those interested, "Open Source Week' is happening this month in Montreal from May 24th to the 28th, also known as MonDev. Go to the site to see what topics and being presented and to register as a speaker if that interests you.