Danny,
For deploying to AIR, take a look at
http://labs.adobe.com/wiki/index.php/AIR:HTML_Security_FAQ.
FYI. For Flex applications deployed to Flash Player, in the generic use case you have to look no farther than the existing web application security.
Since Flex applications run in Flash Player in an HTML wrapper, Flex utilizes the same security model as all web-based applications. The web application has a deployment descriptor (web.xml) that restricts resources based upon URL patterns, names the security roles that are allowed to access these resources, and names the users, or groups of users, in each role. Next, you choose an authentication method, typically BASIC or FORM-based. For FORM-based, you develop a login interface (in HMTL or Flex) that POSTs to the action 'j_security_check' which is defined in the Servlet API spec and recognized by the application servers HTTP server. Once authenticated, Flash Player then inherits the security context of the browser container and you are on your way.
The following docs provide more detail:
http://livedocs.adobe.com/flex/201/html/security2_117_01.html http://livedocs.adobe.com/livecycle/es/sdkHelp/programmer/lcds/security2_06.htmlI hope that helps.
Steve