Using HTTP Authorization headers with Flash

    October 13, 2006

I needed a way to load XML data from a password protected source (user: testuser, pass: testpass), preferably without a login popup.

So I have been poking around in the HTTP header specs and found a solution by using the Authorization field.

In essence it is – like most things – quite simple. I guess this has been done a thousand times before, but the Flash related sources on this topic were very sparse.

When accessing a password protected source on a server, that server will challenge the client with a so-called WWW-Authenticate field in the response header. The client then has to answer that challenge correctly and access is granted.

The W3C has written a lengthy document on this, describing the details of the authorization system.

What I needed though, was a way to prevent the WWW-Authenticate request from happening and access the data immediately. This can be done by adding an Authorization field to the HTTP header when making the initial request.

Luckily, Flash supports custom HTTP headers through the addRequestHeader method (for both the XML and LoadVars class). Using this method, you can add the correct field to the HTTP header during the initial request, supplying the server with the right credentials, so the protected data is transferred immediately.

One thing to keep in mind is the way the content of the Authorization field is constructed. This depends on the server, but is usually based on the basic’ scheme. This means that the full Authorization request is constructed like so:

BASIC username:password

Note that the username:password part has to be Base64 encoded. I have included some sample code below, demonstrating both the use of a Base64 encoding class and the .addRequestheader method of the XML object:

1. var pass:String = "testuser:testpass";
2. pass = Base64.Encode(pass);
4. var xmlReceiver:XML = new XML();
5.       xmlReceiver.onLoad = function( success:Boolean ) {
6.      trace("XML loaded: " + success + "\n\n" + this);
7. }
9. var xmlSender:XML = new XML();
10. xmlSender.addRequestHeader("Authorization","BASIC " + pass);
11. xmlSender.sendAndLoad("", xmlReceiver);

(Download snippet: /code/http_authorize.txt )

Download the source files here (includes Base64 class).

Please bear in mind that:

  • This solution does not work from a browser environment. It should work from a standalone executable though (that is what I needed). UPDATE – the problem with a browser environment is that the browser strips the “Authorize” field from the header, thus triggering the login popup to appear. I donot know the rationale behind this behaviour, but I experienced it in both IE and FF.
  • Also, this code will not work when the server you send the request to uses an authorisation scheme other than BASIC.
  • Tag:

    Add to | Digg | Yahoo! My Web | Furl

    Bookmark WebProNews:

    Martijn de Visser focuses on User Experience Design at Lost Boys in
    Amsterdam. There he works on media-rich online campaigns, Rich
    Internet Applications and desktop tools for clients such as KLM,
    Heineken, Nuon, Volkswagen and Hi. He maintains a blog at and works on various projects such as FLV
    Player and Screenweaver Open Source.