2 Replies Latest reply on Jul 8, 2009 9:21 AM by mikaye

    Flash security expert needed

    mikaye

      I am trying to establish a tcp socket connection from a flex browser application to a local socket server (localhost:8010). The flex app is loaded from my local http server (for early development). My socket server is returning the following cross domain policy upon request for the policy file from Flash,

      <?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><all ow-access-from domain="*" to-ports="8010-8100"/></cross-domain-policy>

      However, I continue to get the following error,
      ---
      Warning: Timeout on xmlsocket://localhost:8010 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.

      Connection to localhost:8010 halted - not permitted from http://localhost/~mike/app/main.swf
      Error: SWF from http://localhost/~mike/app/main.swf may not connect to a socket in its own domain without a policy file.  See http://www.adobe.com/go/strict_policy_files to fix this problem.
      ---

      Here's the java code that executes on the socket server when it receives the request for the policy file (the socket server receives  <policy-file-request> request from Flash).



          public void sendFlashCrossDomainPolicy() {
              //if mOut then socket connection is established
              String msg = "<?xml version=\"1.0\"?>" +
                      "<!DOCTYPE cross-domain-policy SYSTEM \"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd\">" +
                      "<cross-domain-policy>" +
                      "<allow-access-from domain=\"*\" to-ports=\"8010-8100\"/>" +
                      "</cross-domain-policy>";
              if (mOut != null) {
                  System.out.println(msg);
                  mOut.println(msg);
                  mOut.flush();
              }
            }

      The socket server receives  the <policy-file-request> request from Flash as expected and then uses the snippet above to send the policy file.

      Why doesn't flash see the cross domain policy returned by the socket server?

        • 1. Re: Flash security expert needed
          mikaye Level 1

          Another question and perhaps easier to answer. I have changed the compiler options in order to change the security  sandbox,

           

          -use-network=false

          and

          -use-network=true

           

          I'm not sure if this matters when trying to establish a socket connection to localhost, but regardless of the setting, the following code always results in an output of "Security Sandbox: REMOTE"

           

                      switch (Security.sandboxType) {
                          case Security.LOCAL_TRUSTED:
                              trace("Security Sandbox: LOCAL_TRUSTED");
                              break;
                          case Security.LOCAL_WITH_FILE:
                              trace("Security Sandbox: LOCAL_WITH_FILE");
                              break;
                          case Security.LOCAL_WITH_NETWORK:
                              trace("Security Sandbox: LOCAL_WITH_NETWORK");
                              break;
                          case Security.REMOTE:
                              trace("Security Sandbox: REMOTE");
                              break;
                      }

          • 2. Re: Flash security expert needed
            mikaye Level 1

            After plugging away, I was finally able to get the flex browser app to talk locally to a Java Socket Server by opening a spearate socket connection on port 8030 (could have been any port over 1023) and sent the policy file using the code below. The problem that I still can't undeerstand is why I couldn't get this to work over the one port, let's say 8010, that I use to communicate with the flex browser app. However, since this works fine over the second port, that's good enough for now.

             

            /**
            *
            * @author mike
            */
            public class PolicyServer extends FSSocketServer {
                /**
                 * Creates a new instance of RemoteControllerHostServer
                 */
                public PolicyServer() {
                    super("PS-SockServ", 8030);
                }

             

                @Override
                protected void onConnect() {
                    sendFlashCrossDomainPolicy();
                    gui.output(this.getName() + ": connected to policy server @ " + incoming.getInetAddress().toString() + ":" + srvSocket.getLocalPort());
                }

             

                /**
                 * Print message to the client
                 */
                public void sendFlashCrossDomainPolicy() {
                    System.out.println("Begin of send load policy file ...");
                    String msg = "<?xml version=\"1.0\"?>" +
                            "<!DOCTYPE cross-domain-policy SYSTEM \"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd\">" +
                            "<cross-domain-policy>" +
                            "<allow-access-from domain=\"*\" to-ports=\"*\"/>" +
                            "</cross-domain-policy>\r" + '\u0000';
                    send(msg);
                }
            }