- Methods must be defined in remoting-config to be called.
- Only public methods can be called.
- Secure methods by using security-constraints in remoting-config.xml. Add include-methods and exclude-methods tags for all public methods. Add security-constraints to each method.
- Read the Adobe BlazeDS security docs here.
- Remove the Service Browser and DiscoveryService service.
- Methods that start with an underscore are considered private and cannot be remotely called.
- Disable remote tracing and debugging headers by setting the PRODUCTION_SERVER property in gateway.php.
- Use the beforeFilter class to implement authorization controls. More info here.
- Enable authentication on the server, more info here.