I needed a way to load XML data from a password protected source (user: testuser, pass: testpass), preferably without a login popup.
So I have been poking around in the HTTP header specs and found a solution by using the Authorization field.
In essence it is – like most things – quite simple. I guess this has been done a thousand times before, but the Flash related sources on this topic were very sparse.
When accessing a password protected source on a server, that server will challenge the client with a so-called WWW-Authenticate field in the response header. The client then has to answer that challenge correctly and access is granted.
The W3C has written a lengthy document on this, describing the details of the authorization system.
What I needed though, was a way to prevent the WWW-Authenticate request from happening and access the data immediately. This can be done by adding an Authorization field to the HTTP header when making the initial request.
Luckily, Flash supports custom HTTP headers through the addRequestHeader method (for both the XML and LoadVars class). Using this method, you can add the correct field to the HTTP header during the initial request, supplying the server with the right credentials, so the protected data is transferred immediately.
One thing to keep in mind is the way the content of the Authorization field is constructed. This depends on the server, but is usually based on the basic’ scheme. This means that the full Authorization request is constructed like so:
BASIC username:password
Note that the username:password part has to be Base64 encoded. I have included some sample code below, demonstrating both the use of a Base64 encoding class and the .addRequestheader method of the XML object:
1. var pass:String = "testuser:testpass";
2. pass = Base64.Encode(pass);
3.
4. var xmlReceiver:XML = new XML();
5. xmlReceiver.onLoad = function( success:Boolean ) {
6. trace("XML loaded: " + success + "\n\n" + this);
7. }
8.
9. var xmlSender:XML = new XML();
10. xmlSender.addRequestHeader("Authorization","BASIC " + pass);
11. xmlSender.sendAndLoad("http://www.martijndevisser.com/xmltest/settings.xml", xmlReceiver);
(Download snippet: /code/http_authorize.txt )
Download the source files here (includes Base64 class).
Please bear in mind that:
Tag:
Add to Del.icio.us | Digg | Yahoo! My Web | Furl
Martijn de Visser focuses on User Experience Design at Lost Boys in
Amsterdam. There he works on media-rich online campaigns, Rich
Internet Applications and desktop tools for clients such as KLM,
Heineken, Nuon, Volkswagen and Hi. He maintains a blog at
www.martijndevisser.com and works on various projects such as FLV
Player and Screenweaver Open Source.