I spent quite a bit of time today getting a Adobe Flex application to login into a TurboGears site and I couldn’t find any good articles on how to get it to work correctly, after quite a bit of trial and error I was able to figure it out. Here’s quick post on my findings.
Form Fields
The main trick is to get the POST form parameters correct. The default TurboGears “identity.form” parameters in your app.cfg are:
identity.form.user_name="user_name" identity.form.password="password" identity.form.submit="login"
To mimic those POST fields in Flex here’s what the mx:HTTPService would look like:
<mx:HTTPService id="tg_login" method="POST" url="http://localhost:8080/"
result="handleResult(event)" fault="handleFault(event)" resultFormat="text">
<mx:request xmlns="">
<user_name>{username.text}</user_name>
<password>{password.text}</password>
<login>Submit</login>
</mx:request>
</mx:HTTPService>
Crossdomain.xml
One other issue you may come across while testing on your local computer is Flex trying to read the crossdomain.xml file.
Usually this file restricts what flash applications can post to your domain. That is a problem when testing since your Flex file is probably not hosted in your TurboGears project. (you would have to explicitly add it as a static file in order for it to be served)
To avoid this problem you can create this crossdomain.xml file to allow access from all domains. Put the file in your TurboGears project directory under the \static\ folder.
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
To get that file hosted at the root of your site, you’ll need to add a static file entry in your app.cfg to include something that looks like this:
[/crossdomain.xml]
static_filter.on = True
static_filter.file = "%(package_dir)s/static/crossdomain.xml"
Technically you could host your flex application file(s) in this same way, but eclipse would still launch the flex file from the wrong location when you compile/test.
Other Notes
Once you’ve logged in to TurboGears with Flex, you should be able to access any “@identity.require” restricted data in from TurboGears in Flex.
When you are done with your development cycle and make your site public, you may want to remove crossdomain.xml from your site. Although, this only restricts clients that use the “honor system” and check for this file. If you want to truly restrict cross site scripting you should implement something on the backend.
You can download the Flex Source here: