Adobe Flash Player 901150 Onwards Allows Setting Authorization Http Header
06 Jan 2009--- layout: post status: publish published: true title: Adobe Flash Player 9.0.115.0 onwards allows setting Authorization HTTP header author: display_name: Abdul Qabiz login: admin email: [email protected] url: http://www.abdulqabiz.com author_login: admin author_email: [email protected] author_url: http://www.abdulqabiz.com wordpress_id: 422 wordpress_url: http://www.abdulqabiz.com/wordpress/?p=422 date: ‘2009-01-06 15:50:00 +0530’ date_gmt: ‘2009-01-06 10:20:00 +0530’ categories: - Actionscript tags: - Adobe - flash - flashplayer - http - authorization - header - as3httpclient comments: - id: 2017 author: Platfuse author_email: [email protected] author_url: http://www.platfuse.com date: ‘2009-01-27 13:35:49 +0530’ date_gmt: ‘2009-01-27 08:05:49 +0530’ content: “For Flash Player 9.0.115+ when sending HTTP headers â\x80\x9Ccrossdomainâ\x80\x9D as you know a crossdomain.xml with allow-http-request-headers-from set appropriately.\n
If the crossdomain.xml file is protected by Basic Authentication, you keep getting the Basic Authorization popup. Expose crossdomain.xml and make it unsecured. Example a folder ‘above’ the secured folder - i.e. http://anyDomain.com/secured/myservices
\nand your crossdomain should be at http://anyDomain.com/crossdomain.xml, which would load the crossdomain from the root of the ‘service’ web server)
\n
About SENDING basic authentication
\n------------------------------------
\n
\nimport mx.utils.Base64Decoder;
\nimport mx.utils.Base64Encoder;
\nimport mx.rpc.events.ResultEvent;
\nimport mx.controls.Alert;
\nimport flash.system.;
\n
\nimport flash.events.;
\nimport flash.net.URLLoader;
\nimport flash.net.URLRequest;
\nimport flash.net.URLRequestHeader;
\nimport flash.net.URLRequestMethod;
\nimport flash.net.URLVariables;
\n
/* pass authorization header with urlRequest */
\npublic function doURLRequest():void {
\nvar loader:URLLoader = new URLLoader();
\nconfigureListeners(loader);
\n// the username and password for authentication
\nvar creds:String=\“admin:password\”;
\n
\nvar request:URLRequest = new URLRequest(\“http://anyDomain.com/secure/blank.html\”);
\nrequest.data = new URLVariables(\“name=Plat+Fuse\”);
\nrequest.method = URLRequestMethod.GET;
\n
\nvar header:URLRequestHeader;
\n
\nvar encoder:Base64Encoder = new Base64Encoder();
\nencoder.encode(creds);
\nvar encodedCreds:String=encoder.toString();
\n
header = new URLRequestHeader(\“Authorization\”, \“Basic \” + encodedCreds);
\nrequest.requestHeaders.push(header);
\nheader = new URLRequestHeader(\“Content-Type\”, \“application/x-www-form-urlencoded\”);
\nrequest.requestHeaders.push(header);
\ntry {
\nloader.load(request);
\n} catch (error:Error) {
\ntrace(\“Unable to load requested document.\”);
\n}
\n}
\n
private function configureListeners(dispatcher:IEventDispatcher):void {
\ndispatcher.addEventListener(Event.COMPLETE, completeHandler);
\ndispatcher.addEventListener(Event.OPEN, openHandler);
\ndispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler);
\ndispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
\ndispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
\ndispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
\n}
\n
private function completeHandler(event:Event):void {
\nvar loader:URLLoader = URLLoader(event.target);
\nAlert.show(\“completeHandler: \” + loader.data);
\n}
\n
private function openHandler(event:Event):void {
\ntrace(\“openHandler: \” + event.toString());
\n}
\n
private function progressHandler(event:ProgressEvent):void {
\ntrace(\“progressHandler loaded:\” + event.bytesLoaded + \” total: \” + event.bytesTotal);
\n}
\n
private function securityErrorHandler(event:SecurityErrorEvent):void {
\nAlert.show(\“securityErrorHandler: \” + event.toString());
\n}
\n
private function httpStatusHandler(event:HTTPStatusEvent):void {
\ntrace(\“httpStatusHandler: \” + event.toString());
\n}
\n
private function ioErrorHandler(event:IOErrorEvent):void {
\nAlert.show(\“ioErrorHandler: \” + event.toString());
\n}
\n//
\n]]>
\n
\n
\n
\n/*
\nThe key is you need to\n
set request.data or the headers will not get sent:
\n# request.data = new URLVariables(â\x80\x9Dname=Plat+Fuseâ\x80\x9D);
\n
Make the request a POST, not a GET
\n# request.method = URLRequestMethod.POST;\
\n*/
\n” - id: 2018 author: Abdul Qabiz author_email: [email protected] author_url: http://abdulqabiz.com/blog/ date: ‘2009-03-07 02:01:53 +0530’ date_gmt: ‘2009-03-06 20:31:53 +0530’ content: | \@Platfuse Thanks for update, just curious is it solution or a problem here? Never mind, I am not top on Flash world these days. Thanks -abdul - id: 2019 author: Christian Boese author_email: [email protected] author_url: ‘’ date: ‘2009-03-17 19:22:34 +0530’ date_gmt: ‘2009-03-17 13:52:34 +0530’ content: ‘Do I understand it right: There still ist no way to send an HTTP-Basic Authorization Header with a GET Request? I tried a lot of things and still (even with the new player) couldn’‘t get it to work withthe standard URLRequest. With HTTPURLRequest (thanks again for the code!) it works (given a good crossdomain-file served on port 843). ‘ - id: 2020 author: Abdul Qabiz author_email: [email protected] author_url: http://abdulqabiz.com/blog/ date: ‘2009-03-17 19:28:24 +0530’ date_gmt: ‘2009-03-17 13:58:24 +0530’ content: | \@Christian AFAIK, yeah there is no way to send HTTP AUTH headers over GET request. Great to hear, code still works. Thanks for using it. You can check out the latest at: http://code.google.com/p/as3httpclient Thanks -abdul - id: 2021 author: Danny author_email: [email protected] author_url: ‘’ date: ‘2009-03-25 07:55:14 +0530’ date_gmt: ‘2009-03-25 02:25:14 +0530’ content: | I’ve been struggling with this issue. Objective is to interact with the google calendar api which requires a name/password login, then getting a key from the response and using it as the auth token in the Authorization header of subsequent requests. As you say, the flash players from 9.0.115 and beyond now allow the setting of the authorization header however, the GET requests can’t have the auth header so it has to be a POST with request data. If it doesn’t have request data, then it gets converted from a POST to a GET and say bye to the auth header. Adding request data, however, messes up the use of the Google Calendar API as far as I can tell, which expects zero content. I’ve pinged Matt Chotin and he responded that the browsers implementing the flash plugin take some responsibility for the problems so its not something Adobe can readily fix. Still, does that mean Flex can’t interface with all the great network api’s out there? Your socket approach holds promise to get around the problem, but it would be a big project to take on to do it right and my vote would be on Adobe taking it on unless they can pressure the browswer guys. I guess it would be a “brute force” approach to getting http auth instead of using higher level apis of the browswer products. So as it is, I can use AIR just fine, which uses hooks to windows (in my case) to send the http auth, but no hope on the horizon for flex apps. I’ll give your socket code a try to achieve this, but not sure the long term potential or maintainability. thanks for your work, Danny - id: 2022 author: Abdul Qabiz author_email: [email protected] author_url: http://abdulqabiz.com/blog/ date: ‘2009-03-25 08:44:22 +0530’ date_gmt: ‘2009-03-25 03:14:22 +0530’ content: | \@Danny You are right, doing HTTP Auth over HTTP/GET is not possible with Flash Player as of now. I just figured out, some folks found my class useful. http://www.scoop.uk.com/index.php/general/scoop-beta-033/2008/12/ You might want to ask them, how they used it. If they modified the code, would they want to share it with you? Thanks -abdul - id: 2023 author: Danny author_email: [email protected] author_url: ‘’ date: ‘2009-03-31 19:34:05 +0530’ date_gmt: ‘2009-03-31 14:04:05 +0530’ content: | Hi Abdul, I’ve been trying out your socket based httpclient. It works well but for the application I’m working on, it faces a problem with google responding with a 302 not found/redirect before the cookie/sessionkey is available. In this case a normal http client redirects “under the covers” but I’ve found your client doesn’t automagically handle redirects. I’ve also seen the defect list where it is highlighted. Before I write a 302 handler, could you tell me if you’ve addressed or are planning to address this feature? I imagine there are numerous other low level conditions that need handling, and the wish list could be long, although my application is limited to interfacing with some google apis and possibly amazon s3 apis. Are there other “abnormal” response codes that folks have flagged with your client? I saw your input to the blog input to Scoop (users of your framework). I don’t think they should have a problem with original auth using https. In my app, I do first login with https using the normal flex/air httpservice, then use your client for subsequent calls which require setting the auth header returned from the original httpservice based login. I’m not sure exactly the app their using but I think using your framework in concert with the flex one can get around many problems. thanks again, Danny - id: 2024 author: Billigflüge author_email: [email protected] author_url: http://www.charterticket.de date: ‘2009-04-17 13:57:31 +0530’ date_gmt: ‘2009-04-17 08:27:31 +0530’ content: | Hello, thank you for this great work. It helped me solving some authorization problems I had with my site. - id: 2025 author: april author_email: [email protected] author_url: ‘’ date: ‘2009-05-12 07:41:48 +0530’ date_gmt: ‘2009-05-12 02:11:48 +0530’ content: | Can I use the same method connect to https server? why I always get IO error? Thanks! April - id: 7364 author: mcpd tests author_email: [email protected] author_url: http://www.mcpdtests.com/ date: ‘2010-03-10 17:49:00 +0530’ date_gmt: ‘2010-03-10 12:19:00 +0530’ content: hello julia here..Ensure that you have the latest version of Flash Player installed by clicking here to check the version. The current version of Flash Player 9 for Windows, Macintosh, and Linux operating systems is 9.0.115.0. The current version of Flash Player 9 for Solaris operating systems is 9.0.47.0. ---
There were some issues with some earlier version of players, where it was not possible to set Authorization http-header for HTTP/GET requests. I tried to hack a way to do it using Socket or custom http-client in actionscript.
I just happened to read one of the technotes at Adobe’s site, which says Authorization header is allowed for Flash Player 9.0.115.0 onwards. If you are trying to send request to another domain (different from the one hosting the SWF), a crossdomain-policy file is required.
