Restrict SharedObject Name

FluorineFx makes it extremely easy to get Remote SharedObjects up and running, but I found it difficult to intercept the requests made against the server. My main reason for needing to do this is security: you don't want clients to be able to create arbitrary shared objects all willy nilly, otherwise you're just asking to be smacked with a big, bad bandwidth stick. Unfortunately my calls for assistance were met with silence, but I don't expect much support from developers working under the alias "The Silent Group"! So I spent the last week digging deep into the source code and trying to unravel the mysteries behind the adapters, wrappers, brokers, contexts, connections, clients, and scopes.

Thankfully, today I solved the main part of the mystery and what this post is about. Let me tell you the secret, add this to your application handler class (the one that derives from ApplicationAdapter):

Intercept SharedObject Additions

new public bool AddChildScope(IBasicScope scope)
{
    if ("SharedObject" == scope.Type &&
        "expected_name" != scope.Name)
        return false;
    return base.AddChildScope(scope);
}

You'll want to change the if statement in order to make this work better for you, but otherwise this is how you wedge yourself in between the creation of shared objects on the server. You still can't have your own class be instantiated, but you can prevent rogue clients from utilizing arbitrary RO's. Also be aware that there is no way to distinguish whether the request is being made by a client or your server code, it's all or nothing: either an object is available and shared with everything or completely unavailable.

On the client-side in ActionScript you'll need to check the return result of the SharedObject class's connect() method which will give back false on failure or true on success (despite what the documentation may say).