R – Same domain but security error

actionscriptapache-flexcrossdomain.xmlSecurity

I am hosting a java service and a flex application on the same server. The flex application accesses the java service. As the flex application loads I get a security error, how can this happen? I thought I do not need a crossdomain.xml when hosting on the same server.

My flex app gets the data via a http service that sends calls to 1.2.3.4:9000/service, the flex application itself lies on 5.6.7.8/test.swf, my crossdomain.xml looks like the following

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="5.6.7.8" to-ports="*"  />
</cross-domain-policy>

It is accessible from 1.2.3.4:9000/crossdomain.xml. Note that everything works when I use domain="*" instead of domain="1.2.3.4"

I hope someone can help me

Sebastian

Best Answer

If your Flex app is on the server with ip 5.6.7.8 you need to allow that ip in the crossdomain for the 1.2.3.4 server. This let's the Flash running from 5.6.7.8 know that 1.2.3.4 allows connections from that specific adress.

If you still have the same problem a quick way to find out what's going on is to use a debug proxy (i like Charles). That way you'll see flash' request for the crossdomain.xml and what the response looks like, most likely the request is going somewhere you didn't expect or the server messes it up somehow.

Related Solutions

Flash crossdomain.xml in a non-root directory

I think it has to verify that the master policy file allows the alternate policy file to set permissions.

Here's an interesting article with this little tidbit:

If a client is instructed to use a policy file in a location other than that of the master policy file, the client must first check the meta-policy of the master policy file to determine if the original policy file is allowed

Wcf – Silverlight WCF + SSL security error – crossdomain.xml never requested

The problem was that I was missing clientaccesspolicy.xml. Having crossdomain.xml was not sufficient in this case. I think this is because the WCF invocation was not just cross-browser but also cross-protocol (the Silverlight app was served via http but the services were served via https).

In addition, my clientaccesspolicy.xml had to explicitly allow access for http as follows:

<?xml version="1.0" encoding="utf-8"?>  
<access-policy>  
    <cross-domain-access>  
        <policy>  
            <allow-from http-request-headers="SOAPAction">  
                <!-- IMPORTANT! Include these lines -->
                <domain uri="http://*"/>  
                <domain uri="https://*"/>  
            </allow-from>  
            <grant-to>  
                <resource path="/" include-subpaths="true"/>  
            </grant-to>  
        </policy>  
    </cross-domain-access>  
</access-policy>

It now works like a charm.

A couple of things that tripped me up along the way:

My browser was caching clientaccesspolicy.xml and crossdomain.xml. I would have to clear my cache every time I changed one of those files or it wouldn't recognize the newer version, despite the fact that IIS is configured to prevent client caching of this file.
The requests to clientaccesspolicy.xml and crossdomain.xml were not always showing up in Fiddler. I would often see CONNECT requests instead. I don't understand the reason for this but I've learned not to rely on Fiddler to confirm these requests are being made. Perhaps I have some rogue setting somewhere (it's not the "Decrypt HTTPS traffic" setting because I already disabled it).

Best Answer

Related Solutions

Flash crossdomain.xml in a non-root directory

Wcf – Silverlight WCF + SSL security error – crossdomain.xml never requested

Related Topic