Every major release of LCDS goes through an external security audit, you can view the report in the LCDS product PDF portfolio (the portfolio also includes a great performance brief).
The LCDS attack surface is very small, but there are a number of things to consider:
- Use AMF in production (also consider AMF for performance as it is better at handling large complex Object graphs).
- If you are using AMFX use LCDS 3.1, which fixes a number of known XML vulnerabilities. If you are unable to upgrade to LCDS 3.1 then you should apply this security patch.
- Use secure channels (refer to Using LiveCycle Data Services ES2 Version 3.1).
- If you are using the proxy service then secure it as per this post.
- If you are concerned about XSS attacks then validate incoming client data using a custom queue processor (refer to Using LiveCycle Data Services ES2 Version 3.1).
- Try to ensure end users are on the latest Flash player.
- Ensure RDS is not enabled in production (comment out the RDSDispatchServlet in web.xml).
- Make sure your app server is secure per best practices of the vendor (you should also look at Hardening and Security for LiveCycle ES, which provides some general recommendations).
There are a number of useful resources that discuss securtiy:
The following tools can be used to help find and fix security vulnerabilities:
Today I spoke at Scotch on the Rocks. My presentation provided an introduction to Data Management. You can download my slides from here and the demo app from here.
The demo provides 5 applications:
Main – vanilla DataMangement application – it doesn’t get any simpler than this
Main1 – adds autoCommit=”false” and revertChanges()
Main2 – adds createItem()
Main3 – adds deleteItem()
Main4 – adds conflict handling
Thanks to everyone who attended.
Increasingly as we step further in to the depths of the enterprise we find more and more of our customers are using WebSphere Application Server (WAS).
When it comes to using Flex Data Services (FDS) on WAS you must modify your Flex configuration if you want to use RTMP. I thought it would be beneficial to other developers taking their first tentative steps with FDS and WAS to walk through the steps necessary to deploy your Flex-based application on WAS. I have written this blog entry against WebSphere Application Server Base V6. This is IBM’s grown-up application server for which you pay a license fee. I haven’t used the community edition of WAS, which is based on Apache Geronimo. I hope to see Geronimo as a supported application server in the future.
I am currently writing a demonstrator application for MAX 2006, where I will be presenting on security. As part of my application I want to show the propagation of the user’s identity from the Web container, in which Flex executes, and the EJB container, where business logic could be executing. Rather than write a remote Java object that acts as a business delegate I have written an EJB factory for Flex that is now available for download on the Flex Exchange. The EJB factory allows Flex to call an EJB directly.