5 Replies Latest reply on Aug 5, 2011 12:19 PM by grimmwerks

    Configuring socket policy for flex apps(with blocked port 843)?

    mob_eng_at_edt Level 1

      We have built several flex-based ecommerce apps for a fortune 500 customer of ours, that for various reasons, we need to use sockets to a different domain and requires a socket policy file, but were having trouble configuring our flex apps for deployment in thier enviornment where they are blocking virtually everything except port 80 . The current documentation in in regards to socket policy files and crossdomain files in a non-standard configuration not using port 843 is not providing any useful help to us.


      Here is the scenario:


      Flex apps are served from domain www.a.com in  to users browsers via http. The apps then make socket connections to domain www.b.com:80 where there are php scripts serving json data to the flex apps via port 80 using http(we use sockets because we need to set and read back http headers). The problem is the flex apps cannot make socket connections to the www.b.com domain without errors like below(unless we setup a socket policy server on port 843 of www.b.com, in which case everything works):


      Warning: Timeout on xmlsocket://www.b.com:80 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
      Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
      Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com.us/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.


      Since we cannot use port  843 for the socket policy file server, we setup the socket policy server on a different ip in the same domain: spf.b.com:80 (using the sample perl code Adobe provides), and per the docs(cited below), use Security.loadPolicyFile("xmlsocket://spf.b.com:80") before we invoke "socket.connect", to supposedly tell the flash player to check there for the socket policy file. The problem, as you can see from the error log, is that the  loadPolicyFile("xmlsocket://spf.b.com:80") is ignored.


      No matter what we do or how we set things up, we cannot get the flash player to recognize the loadPolicyFile(), it always wants to go to the port were making the socket connection on. It is unclear how to properly configure the flex app, socket policy file and crossdomain file for the above scenario. The docs allude to being able to serve  the socket policy file from a different port 80 in the same domain as the socket connection were trying to make, but were having no luck with that.


      ->Can anyone shed some light on how to make this work or what are we  missing/doing wrong? Also, if we can get this to work, are we  stuck with a 3 second delay because this(very large) customer is blocking port 843?


      As an aside,  the documentation for all this is a bit scattered, unclear and contrdictory:

      One document says:(http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_07.html)
      "This warning usually means one of two things: first, that you need to set up a             socket policy file server on port 843, which is the first location that Flash             Player checks by default; or second, that you need to provide more explicit             guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location             of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check             locations by default, Flash Player will wait as long as necessary for a             response from a socket policy file server, rather than timing out after 3             seconds."


      Another document says(http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html):

      "If an ActionScript Security.loadPolicyFile() command exists within               the SWF file, then the Flash Player runtime checks that location. Flash Player checks               the destination of the loadPolicyFile() only after it has checked the               master policy file on port 843 for permission to acknowledge other policy               files. If the developer has not specified a loadPolicyFile() command,               then Flash Player checks the destination port of the connection."

        • 1. Re: Configuring socket policy for flex apps(with blocked port 843)?
          mob_eng_at_edt Level 1

          Let me ask a followup question that may answer my problem:


          After scouring the docs again, It's starting to look to me like the only solution to allow a flex app socket level access without a port 843 socket policy server, is that you need to somehow serve both the socket policy xml(using Adobe's protocol) AND the data your flex/flash app is trying to consume on the same port?


          Can any authoritive person validate that that is the case?

          • 2. Re: Configuring socket policy for flex apps(with blocked port 843)?

            Did you find a solution to your problem? I'm experiencing exactly the same problem. Any guidance to solve this problem will be appreciated.





            • 3. Re: Configuring socket policy for flex apps(with blocked port 843)?
              mob_eng_at_edt Level 1



              I can tell you that if your trying to use sockets and  port 843 is blocked on the server your trying to communicate with,  you basically have to have the port unblocked(usually firewall is blocking it). Sometimes this is possible, and sometimes not. If you cant, which we couldnt get our customer to do it, then dont use sockets - we decided to use http(s) to transfer data back and forth as that doesent require port 843. 


              I hope that helps.



              • 4. Re: Configuring socket policy for flex apps(with blocked port 843)?
                kempis2008 Level 1

                I found the reason why the Flex application was ignoring the socket policy (crossdomain.XML). I have a policy server that listens to port 843 and submits the policy to the Flex client. My policy was getting ignored by the Flex application and I was getting the sandbox security error you were getting. The solution to this problem isto write a null byte right after the policy server sends the policy. I'm using Apache Mina that is wrtten is Java and the null byte is written as follows:


                public void sessionCreated (IoSession session)
                        throws Exception
                        session.write(_policy);  -- > policy string
                        session.write("\u0000"); --> null byte
                         //session.close(true); ---> No need to close the session because it is closed by the Flex client after it receives the null byte.


                Now my Flex application can read and accept the policy from port 843 and I'm not getting more security violations.


                Thanks for your reply,



                • 5. Re: Configuring socket policy for flex apps(with blocked port 843)?

                  Did you find any workaround?


                  We've got a stomp protocol bound at 443; I've been attempting to pull the crossdomain via loadPolicyFile at 80 but of course this won't allow access at 443.  If the server at 843 is running, it works (of course).   The backend people are saying that since we're using a protocol we couldn't even allow a return from a request upon the socket we want to make the data connection... so we're stuck as well.