17 Replies Latest reply on Jan 30, 2008 5:37 AM by msajed

    Security sandbox violation

    tvtony100
      We are experiencing a Security sandbox violation error when our application attempts to open a socket connection.

      Here's what's happening,

      - The application is loaded from LoadHostIP:8081.
      - The application wants to establish a socket connection with TargetHostIP:5900.
      - The following crossdomain file is located in the root directory of the web server on TargetHostIP answering on port 8081:

      <?xml version="1.0"?>
      <!DOCTYPE cross-domain-policy SYSTEM " http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
      <cross-domain-policy>
      <allow-access-from domain="*" to-ports="*"/>
      </cross-domain-policy>

      - Prior to opening the socket the application does a Security.loadPolicyFile to TargetHostIP:8081.
      - When the socket connection is attempted the following error results:
      Error #2048: Security sandbox violation: http://LoadHostIP/ourApplication.swf cannot load data from TargetHostIP:5900.

      Of course all this works just fine from within Flex Builder and we have verified that the crossdomain file can be accessed using a browser directed at http://TargetHostIP:8081.

      We are ready to ship product so any all advice would be greatly appreciated.

        • 1. Re: Security sandbox violation
          jylaxx Level 1
          Hi,

          When the socket connection is established the following data is sent to the server :
          <policy-file-request/>
          The server has to send back this type of response :
          <?xml version='1.0'?>
          <!DOCTYPE cross-domain-policy SYSTEM ' http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd'>
          <cross-domain-policy>
          <allow-access-from domain='*' to-ports='*' />
          </cross-domain-policy>

          After this initial data exchange you can start to use your protocol.

          See Programming ActionScript page 469

          JYL
          • 2. Re: Security sandbox violation
            tvtony100 Level 1
            Thank's for the reply.

            I've reviewed the information in Programmin ActionScript and it looks like I'm doing everything correctly.
            That is, I'm loading a HTTP-based policy file to authorize a socket connection. In fact, according to the book "a policy file obtained from an HTTP server implicitly authorizes socket access to all ports 1024 and above; any to-ports attributes in an HTTP policy file are ignored". So, it would seem that "to-ports" is not even required.

            I am even more confused now.
            • 3. Re: Security sandbox violation
              jylaxx Level 1
              I don't use HTTP, only binary socket. And it works for me.
              May be the policy file is link to the protocol.
              If you are loading the policy file with HTTP protocol, so you don't send it in your binary socket. Do you receive the <policy-file-request/> when the binary socket connect ?
              • 4. Re: Security sandbox violation
                tvtony100 Level 1
                Since I need to connect my socket with a VNC service I am not able to load the policy file via the socket connection.

                I figure my problem has to do with the fact that I'm attempting to specify a port in the HTTP loadPolicyFile request. It seems that this request must be made from the default location on port 80 only and the security system won't accept anything else.

                • 5. Re: Security sandbox violation
                  jylaxx Level 1
                  Port 80 seams to be mandatory for HTTP request, and also "file must come only from the default location of the cross-domain policy file".
                  So you have to use this port or to install a dedicated policy file server.

                  I am interesting by your solution as I could have this kind of configuration one day...
                  • 6. Re: Security sandbox violation
                    tvtony100 Level 1
                    JYL,

                    Thank's again for your response.
                    If and when I figure this out I'll post the solution.
                    • 7. Re: Security sandbox violation
                      tvtony100 Level 1
                      JYL,

                      Major changes are in the works for Security in general and socket policy files in particular.
                      A good desription of these changes can be found at: http://www.adobe.com/go/strict_policy_files.

                      As you are doing, I need to authorize my socket connection using a socket loaded policy file.

                      • 8. Re: Security sandbox violation
                        jylaxx Level 1
                        Thank's for the link
                        • 9. Re: Security sandbox violation
                          tvtony100 Level 1
                          JYL,

                          Do you use Security.loadPolicyFile to request your crossdomain file prior to establishing your socket connection?
                          Or, do you make the request over the main socket connection?

                          If you issue the Security.loadPolicyFile, what string do you use to make the request?

                          Thank's in advance.
                          • 10. Re: Security sandbox violation
                            jylaxx Level 1
                            No I use the main connection. My server is able to manage the Flex policy file request and then my own requests.
                            In you use loadPolicyFile the request should be "xmlsocket://ip:port" (I didn't try).
                            You should also try this kind of sequence with your VNC socket :

                            class vncConnection {
                            private var _ready : Boolean = false ;
                            private var vncSck : socket = new Socket() ;

                            public function connect() : void
                            {
                            vncSck.addEventListener( Event.CONNECT, connectListenerPolicyFile ) ;
                            vncSck.connect( policyFileServer, policyFilePort ) ;
                            }

                            private function connectListenerPolicyFile(event:Event) : void
                            {
                            vncSck.removeEventListener( Event.CONNECT, connectListenerPolicyFile ) ;
                            vncSck.close() ;

                            vncSck.addEventListener( Event.CONNECT, connectListenerVNC ) ;
                            vncSck.connect( vncServer, vncPort ) ;
                            }

                            private function connectListenerVNC(event:Event) : void
                            {
                            _ready = true ;
                            }
                            }
                            • 11. Re: Security sandbox violation
                              tvtony100 Level 1
                              Finally got it working by loading the socket policy file over one port before establishing my main connection over another port.

                              Thank's for all your help.
                              • 12. Re: Security sandbox violation
                                msajed
                                Hi.

                                I am trying to connect my xmlSocket to my own Java based Server. When I only call Security.loadPolicyFile(..Server location..) then it doesn't work although crossdomain.xml file is present on the server.

                                If I don't use Security.loadPolicyFile() and try to connect to Server using xmlSocketObj.connect(server, port) then server receives request for policy file <policy-file-request/>, In reply to this request my Server sends complete crossdomain.xml but nothing works and Programs throws SecurityErrorEvent.

                                I am using Flash Player 9.0.115.0 and my crossdomain.xml file is also correct.

                                Regards,
                                • 13. Re: Security sandbox violation
                                  jylaxx Level 1
                                  I am also using a Java server with binary socket protocol. I am not using xmlSocket but the behaviour should be the same.
                                  May be you could send your code for both flex and java side ?

                                  Do you send a 0x00 byte at the end of the cross domain policy ?
                                  • 14. Re: Security sandbox violation
                                    tvtony100 Level 1
                                    I had a problem that may or may not be relevant. It is related to establishing the socket connection when using the Security.loadPolicyFile call and may be a bug. In my connection routine I had to modify the socket constructor so that the socket could be instantiated before the connection was attempted.

                                    Establishing the connection in the constructor would not work.

                                    So, here’s the sequence:

                                    // load the policy file via socket
                                    Security.loadPolicyFile( "xmlsocket://"+ host + ":" + port );

                                    // instantiate the socket
                                    aSocket = new Socket();

                                    // add listeners

                                    // explicitly call socket connect
                                    aSocket.connect( host, port );

                                    • 15. Re: Security sandbox violation
                                      msajed Level 1
                                      Hi.

                                      Thanks for replying. I am sending you the code of but client and server. Security.loadPolicyFile(...) is commented in this code because it was not working for me.

                                      thanks in advance.

                                      Regards,


                                      This my flex code.

                                      import flash.display.Sprite;
                                      import flash.events.*;
                                      import flash.net.XMLSocket;
                                      import flash.system.Security;
                                      import mx.controls.Alert;

                                      public class SocketExample extends Sprite
                                      {
                                      private var socket:XMLSocket;

                                      public function SocketExample( )
                                      {
                                      try
                                      {
                                      socket = new XMLSocket();
                                      // Register Event handlers
                                      socket.addEventListener(Event.CONNECT, onConnect);
                                      socket.addEventListener(IOErrorEvent.IO_ERROR, onError);
                                      socket.addEventListener(DataEvent.DATA, onData);
                                      socket.addEventListener(SecurityErrorEvent.SECURITY_ERROR, onSecurityError);

                                      // Security.loadPolicyFile("xmlsocket://myServer:9090");
                                      // connect to server
                                      socket.connect( "myServer", 9090 );

                                      trace("Waiting for Socket to connect.........");
                                      }
                                      catch(e:Error)
                                      {
                                      trace("Error : " + e);
                                      }
                                      }

                                      private function onError(e:Event):void
                                      {
                                      trace("IO Error : " + e);
                                      }

                                      private function onSecurityError(e:Event):void
                                      {
                                      trace("Security : " + e);
                                      }

                                      private function onConnect( event:Event ):void
                                      {
                                      trace("Server is now Connected");
                                      socket.send("Hello There\n");
                                      trace("Sending ----- Hello There");
                                      }

                                      private function onData( event:DataEvent ):void
                                      {
                                      trace( "Recieved XML : " + event.data );
                                      }
                                      } // class defination finished

                                      and below is the code for simple Java Server which send back whatever he receives except for crossdomain request, in which case policy file is returned. I hope code is understandable.

                                      class SampleServer
                                      {
                                      private static SampleServer server = null;
                                      ServerSocket socket;
                                      Socket incoming;
                                      BufferedReader readerIn;
                                      PrintStream printOut;

                                      public static void main(String[] args)
                                      {
                                      int port = 9090;
                                      server = new SampleServer(port);
                                      }

                                      private SampleServer(int port)
                                      {
                                      System.out.println(">> Starting SimpleServer");
                                      try
                                      {
                                      socket = new ServerSocket(port);
                                      incoming = socket.accept();
                                      readerIn = new BufferedReader(new InputStreamReader(incoming.getInputStream()));
                                      printOut = new PrintStream(incoming.getOutputStream());

                                      boolean done = false;
                                      while (!done)
                                      {
                                      String str = readerIn.readLine();
                                      if (str == null)
                                      {
                                      done = true;
                                      }
                                      else
                                      {
                                      System.out.println("Recieved : " +str);
                                      out(str.trim());
                                      if(str.trim().equals("EXIT"))
                                      {
                                      done = true;
                                      }
                                      }
                                      }
                                      incoming.close();
                                      }
                                      catch (Exception e)
                                      {
                                      System.out.println(e);
                                      }
                                      System.out.println("Bye");
                                      }

                                      private void out(String str)
                                      {
                                      // if request for policy file then send complete file. otherwise echo whatever is received.
                                      if (str.equals("<policy-file-request/>"))
                                      {
                                      str = "<?xml version='1.0'?><!DOCTYPE cross-domain-policy SYSTEM ' http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd'><cross-domain-policy><allow-ac cess-from domain='*' to-ports='*' /></cross-domain-policy>";
                                      }

                                      printOut.print(str+"\0");
                                      System.out.println("Sending Back :"+str);
                                      printOut.flush();
                                      }
                                      }
                                      • 16. Re: Security sandbox violation
                                        jylaxx Level 1
                                        Sorry i have no time to explore more your code. At first glance I didn't see anything wrong.
                                        Anyway did you read this article ?
                                        http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html
                                        • 17. Re: Security sandbox violation
                                          msajed Level 1
                                          Thanks jylaxx.

                                          I have read this article earlier and I could not understand what I have done wrong. If you don't have much time could it be possible that you sure little piece of your code which is performing the socket connection (using XMLSocket or BinarySocket).

                                          thanks anyways.