3

I'm using as3httpclientlib to post data to my web service, but I'm continually getting the following security violation. Does anyone know how to resolve this? My crossdomain.xml file is below the security violation notice.

NOTE: I'm using apache to proxy requests to the web service, therefore the target url/port and the url/port serving the applet are the same -- i.e. http://192.168.100.101. Also, the crossdomain.xml file is located in the root of the web app which serves the applet rather the web service; however, since the requests are proxied the url for the file is http://192.168.100.101/crossdomain.xml

* Security Sandbox Violation * Connection to 192.168.100.101:80 halted - not permitted from http://192.168.100.101/com-web/flex/ComUi.swf Error: Request for resource at xmlsocket://192.168.100.101:80 by requestor from http://192.168.100.101/com-web/flex/ComUi.swf is denied due to lack of policy file permissions.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
<allow-access-from domain="*" to-ports="80, 8080" />
</cross-domain-policy>

Thanks.

DanMark
  • 75
  • 1
  • 5

1 Answers1

3

Did you tried to debug it with WireShark, see if the app sends the request on port 843 and if the server sends back the response via socket? It was not totally clear in your post if you already use a server app to serve the policy file, if not, you should, either the way, the link below should help.

If you need more info about how things work, you can check out this

Rad'Val
  • 8,895
  • 9
  • 62
  • 92
  • This is correct. as3httpclientlib uses sockets and this requires a socket policy. – James Ward Apr 15 '11 at 15:27
  • @mindnoise: No, I'm not currently using a server app/daemon to serve the policy file. I had the understanding I could specify the permissions in the `crossdomain.xml` file and then use `Security.loadPolicyFile(url)` to retrieve/apply the permissions. Is my understanding incorrect? Is a policy file 'server' mandatory? – DanMark Apr 15 '11 at 15:47
  • @James Ward: For clarification, is the `socket policy` file the same as the `crossdomain.xml` file? – DanMark Apr 15 '11 at 15:51
  • You can't use 'Security.loadPolicyFile(url)' simply because the player will only know that the HTTP protocol it's OK to use, but how about the socket, he will ask. So, you have to serve it, there is no other way. The content you send is the same, but it's not a file(I usually hardcode it), it's a piece of information sent from the server to the client via a socket. – Rad'Val Apr 15 '11 at 15:59
  • @mindnoise: Thanks for the clarification; I'll put together a script to listen on port 843 and serve the socket policies. – DanMark Apr 15 '11 at 16:24
  • There is a sample python socket server that sends the policy file here: http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html – James Ward Apr 15 '11 at 17:30