How to make a ChannelSet login() secure in flex

i recently had a look to the tutorial for custom authentication within a flex application. The login is managed by getting the ChannelSet from a RemoteObject:

private function creationCompleteHandler():void {
            if (cs == null)
                cs = ServerConfig.getChannelSet(remoteObject.destination);                    
        }

// Login and handle authentication success or failure. 
private function ROLogin():void {
      开发者_JAVA百科      // Make sure that the user is not already logged in.
            if (cs.authenticated == false) {
                token = cs.login("sampleuser", "samplepassword");
                // Add result and fault handlers.
                token.addResponder(new AsyncResponder(LoginResultEvent, LoginFaultEvent));
            }
        }

After that the channlset can be used with the login command of ChannelSet. How can i insure that this is using a secure connection? I know that there is a amf channel and a secure amf channel. But how to tell to provide the credentials in a secure connection?

Typically a ChannelSet is defined with a group of channels that define a fail-over strategy, rather than as part of a secure/non-secure segmentation.

Mixing encrypted & non-encrypted channels in the same channelset doesn't really make sense.

When a channelSet has multiple channels defined, the Flex client will attempt to connect on the first, and gracefully fail through to the next, and the next until a connection is established, or all channels are exhausted.

If you want to have both secure & non-secure channels defined, you would typcially define two channelsets - one for each:

<s:ChannelSet id="channelSet">
   <s:AMFChannel url="http://myserver:8080/myapp/messagebroker/amf" />
</s:ChannelSet>
<s:ChannelSet id="encryptedChannelSet">
   <s:SecureAMFChannel url="https://myserver:8080/myapp/messagebroker/amf" />
</s:ChannelSet>

public function logon():void
{
     // Credentials are passed via https
     encryptedChannelSet.login("username","password");
}

What isn't clear from the documentation is that assuming that both channelSet and encryptedChannelSet are part of the same messageBroker, the authentication state and user credentials are available across both channelSets.

Ie., although the client code suggests that credentials are supplied to only a single ChannelSet, on the server side, the FlexContext is what holds the authentication state, which is associated with the browser session, not a specific channel or channelSet.

So, after authenticating the encryptedChannelSet, destinations which are exposed to the channelSet which are secured and require user credentials are now accessible.