Macromedia flash media server 2-managing flash media server ユーザーズマニュアル
JavaScript security
223
Asynchronous system calls
In Flash Media Server, application developers can implement asynchronous system calls,
where the caller is unprivileged and relies on a system call to set up and complete the call. The
callback must remain unprivileged. This coding is useful when a system object is trying to
wrap and hide a network connection.
where the caller is unprivileged and relies on a system call to set up and complete the call. The
callback must remain unprivileged. This coding is useful when a system object is trying to
wrap and hide a network connection.
// in secure.asc ...
sysobj.remoteCall = function(func, responder, arg1, arg2, ...) {
// validate/modify args ...
sysobj.remoteCall = function(func, responder, arg1, arg2, ...) {
// validate/modify args ...
var sysResponder = {};
sysResponder.sysobj = this;
sysResponder.userResponder = responder;
sysResponder.onResult = function(res) {
// Modify/validate res ...
// Perform any other 'privileged' funcs ...
// Remove any access to system object.
this.sysobj = null; delete this.sysobj;
// Pass on the result to the user callback.
this.userResponder.onResult(res);
}
this._nc.call(func, sysResponder, arg1, arg2, ...);
}
...
system = protectObject( sysobj );
...
sysResponder.sysobj = this;
sysResponder.userResponder = responder;
sysResponder.onResult = function(res) {
// Modify/validate res ...
// Perform any other 'privileged' funcs ...
// Remove any access to system object.
this.sysobj = null; delete this.sysobj;
// Pass on the result to the user callback.
this.userResponder.onResult(res);
}
this._nc.call(func, sysResponder, arg1, arg2, ...);
}
...
system = protectObject( sysobj );
...
T
he call would be invoked from the normal application code as:
system.remoteCall("foo", myOnResult, arg1, arg2);
In Flash Media Server, an asynchronous call triggered by the application code is never defined
as privileged. The following example shows how application developers can ensure that the
asynchronous calls set within the system object can be completed as privileged or
unprivileged.
as privileged. The following example shows how application developers can ensure that the
asynchronous calls set within the system object can be completed as privileged or
unprivileged.
// within some system call implementation ...
var resultObj = {};
resultObj.sysobj = this;
resultObj.onResult = function(res) {
var resultObj = {};
resultObj.sysobj = this;
resultObj.onResult = function(res) {
//use the stashed sys obj to do
// some privileged action ...
// some privileged action ...
}
this._nc.call("foo", resultObj, ...);
this._nc.call("foo", resultObj, ...);