I have a Flex app which needs to connect to an https web service. The web service WSDL URL is given as wsdl-url.company.com where SSL-offloading is used.
The Flex app resides at the same server the web service resides.
The web service in defined in the mxml as
<s:WebService id="webService" wsdl="https://wsdl-url.company.com/service.asmx?wsdl">
The crossdomain.xml file at the server's root is
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM /xml/dtds/cross-domain-policy.dtd> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" to-ports="*" /> <allow-http-request-headers-from domain="*" headers="*"/> </cross-domain-policy>
If the swf is loaded from the HTTPS address, crossdomain.xml will not be requested by the swf when the page loads (web service initializes), but when web service is called a POST to the http equivalent is attempted instead of https.
i.e. using Firebug, I see that Flex is performing a POST to HTTP://wsdl-url.company.com/service.asmx, which should have been HTTPS. Why does Flex change this to http while declared as https?
On the other hand, if the swf is loaded from HTTP at the same server, crossdomain.xml will be downloaded, but the Flash debugger will throw a “Channel.Security.Error” and the app crashes when the web service tries to initialize.
Any help resolving this issue is highly appreciated.
For anyone having the same issue, the problem was at the WSDL-endpoint inside the project's .fml. Even though I was setting the service as https:// in the WebService declaration, WSDL-endpoint was generated by Flash Builder as http by default. Setting the endpoint correctly to https programmatically when the app was loaded did the trick:
webService.endpointURI = "https://wsdl-url.company.com/service.asmx";