We're trying to create an app for OpenPeak. The Flash app will act as a client to a Java server on another computer on another domain.
The Flash app client connects via XMLSocket. The Java Server uses ServerSocket to receive a request and send back a message.
In order to trust the server, the Flash client needs a socket master policy file to tell it that the server comes from a trustworthy domain. According to an article on Adobe, when a connection has succeeded, the Flash client automatically requests the cross-domain policy or socket master policy file on port 843.
Still, even when we implement it according to the tutorials and recommendations we have read, the Flash client continues to throw the following security error:
SecurityErrorEvent
type="securityError" bubbles=false
cancelable=false eventPhase=2
text="Error #2048"
We've tried logging the policy file request during testing to see if there was any call made to port 843. There was not.
Interestingly, even without a policy file, the Flash client still manages to send the first data message to the server successfully. It's just when the server tries to send back a reply that the entire thing hangs for about 10 seconds before the security error above is displayed.
Any ideas / suggestions?
In order for flash to access another domain you'll need a crossdomain.xml file, For this specific need you will probably have to specify a custom URL. Here is the code you need to do that:
flash.system.Security.loadPolicyFile("{Url to my crossdomain.xml file on the SSL virtual root}");
Here is a sample file which disables flash's "Same Origin Policy" protection for the domain that is using this file. Limiting this access to specific domains is highly recommended, but this is not always possible for some apps.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.*" secure="false" />
</cross-domain-policy>
To debug this I would use TamperData to make sure flash is actually downloading the crossdomain.xml file. If you need to debug rtmp or some other non-http protocol then you'll have to use Wireshark.
Related
I need some advice in the following matter:
I have two machines that are connected via ethernet.
One machine (lets call it ServerSide) is also connected to the Internet via LAN. The second machine (ClientSide) is offline, in the beginning.
So ServerSide is creating a webserver with Jetty on port XY. ClientSide opens a webbrowser and requests some page (e.g. stackoverflow.com). The request will be forwarded to port XY and the webserver. ServerSide would have to send the request to the internet and then back over ServerSide to ClientSide, so the webbrowser should display the requested webpage.
Is it even possible to do that this way?
Thanks in advance
Yes. What you need on server side is an HTTP Proxy and there are plenty of existing solutions in the market.
Check out the Wikipedia article about proxies. Bear in mind that the client might require some configuration (Proxy settings) so that it forwards the requests to the proxy rather than attempting to reach the final host.
I am practicing some web-apps technology. I setup Apache HTTP server which provides HTTP page with JNLP/FlashFX file with simple data-form to fill by the user. My first idea was to send/receive the data from JNLP with help of UDP (I just serialize object inside datagrams). To be more specific:
Apache provides a static HTTP and JNLP/FlashFX (HTTP is just to deploy JNLP)
JNLP communicates via UDP with server
server runs simple Java program to send/receive UDP packets to JNLP
My problem is when I access the page from 'client' browser machine a firewall asking if I want to allow/deny the access to network from 'java'. No doubts this is normal, but I think no one is expecting this from a web page.... I want to change this approach and use existing HTTP protocol.
QUESTION UPDATE
As far as I understood with HTTP protocol we have couple of methods which are used to communicate with the server (GET, PUT, POST .... ) and provided by Apache service.
I would like to use this for data exchange like this:
JNLP sends some serialized data with HTTP methods
Apache will redirect some (or full) traffic to my Java program
My Java program will answers via Apache to my JNLP
How can I do that?
I want the browser to send a message to my local Java application (which is programmed by myself) when I click a button on a web page which is also written by myself using php. Is there any way I can do that?
This is the wrong way. You don't send information from your server to your local application. Your local application should grab the information from your web server.
The local Java application can implement a webserver. There is a number of libraries out there, or you can use ServerSocket / SSLServerSocket to implement it low level. The server socket should be bound to localhost in order to prevent direct external access.
You can use JSONP to communicate with this local webserver.
Pay special attention to authentication, because any website you visit, can instruct the browser to send requests to the local webserver.
I believe build a small home-made program to make ourselves more comfortable is quite common nowadays. Just few days before, I really tired to get the same named log files from different remote devices through FTP connection again and again so that I started to build one Java web application.
The purpose of the Java web application is simple as once the user filled in the absolute path of source file in remote device and selected corresponding remote devices he or she want to connect to, the web application will finally store those same named log files in user's local computer with well organized folder structure. You can simply understand that this Java servlet is a proxy sits between client and remote devices.
Currently, I have already done and tested the downloading function from remote devices to the server in Java servlet by using Apache common net FTPClient library. It worked fine and provided me the copies of same named log files in a well organized folder structure.
However, when I moved on, I realized that the "pushing" function maybe the killer. Following are few queries I want to discuss with you all:
Even I could get IP address or host name from client's requests, is it possible or suitable for me to auto establish a FTP connection from servlet to client?
If an auto FTP connection is achievable, what are the security concerns I should pay attention?
If an auto FTP connection is not achievable, is it possible or suitable for me to return those files in the response to the client?
I appreciate your comments or suggestions. Hope you all also enjoy the open discussion here.
I have added functionality which will enable the user to attach a file from web page.
and this file will be sent as an attachment to another user.
When I try this on my local machine it works fine.
I deployed the application on the server.
And when I am trying to attach a file its throwing FileNotFoundException.
Kindly help.
You seems to be reading file system assuming that client is always on server.
Server and Client are different things. Client may be / May not be [all most all the time] on server. You need to upload file then read..
If you can read client's flle system this easily, then we might not have coined the word security