Re: [flexcoders] Re: Security error accessing url?
I'm not an expert, but i had this problem, and everyone was saying i need a crossdomain.xml file and if you have one if the protocal is https then make sure the secure attribute is false. my problem actually ended up being a timing issue that my wsdl was uploading before the file did. flex 3 might be more fickle with xml and making sure it's valid. i really dont know i personally hate this error with a passion it took me a long time to debug it. hopefully some person will have more of an insightful answer for you. On 1/18/08, Nate Pearson [EMAIL PROTECTED] wrote: Local machine. I'm trying to debug. Webservice is on the corporate intranet. I've never had this problem before... --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, Dominique Bessette - Halsema [EMAIL PROTECTED] wrote: are you running the flex app on your local machine or a server On 1/18/08, Nate Pearson [EMAIL PROTECTED] wrote: I'm using Flex Builder 3 Beta 3. I can't seem to create any new projects that can connect to webservices! I'll copy the exact same code from an old project into a new Flex Builder 3 Beta 3 project and I get the error below. Anyone know why? This is really frustrating! [RPC Fault faultString=Security error accessing url faultCode=Channel.Security.Error faultDetail=Unable to load WSDL. If currently online, please verify the URI and/or format of the WSDL (http://www.mywebaddress.com/roadmap/systemsRM.asmx?WSDL)] at mx.rpc.wsdl::WSDLLoader/faultHandler ()[E:\dev\flex_3_beta3\sdk\frameworks\projects\rpc\src\mx\rpc\wsdl\WSDLLoader.as:105] at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at mx.rpc::AbstractInvoker/ http://www.adobe.com/2006/flex/mx/internal::dispatchRpcEvent ()[E:\dev\flex_3_beta3\sdk\frameworks\projects\rpc\src\mx\rpc\AbstractInvoker.as:175] at mx.rpc::AbstractInvoker/ http://www.adobe.com/2006/flex/mx/internal::faultHandler ()[E:\dev\flex_3_beta3\sdk\frameworks\projects\rpc\src\mx\rpc\AbstractInvoker.as:227] at mx.rpc::Responder/fault ()[E:\dev\flex_3_beta3\sdk\frameworks\projects\rpc\src\mx\rpc\Responder.as:56] at mx.rpc::AsyncRequest/fault ()[E:\dev\flex_3_beta3\sdk\frameworks\projects\rpc\src\mx\rpc\AsyncRequest.as:110] at DirectHTTPMessageResponder/securityErrorHandler()[E:\dev\flex_3_beta3\sdk\frameworks\projects\rpc\src\mx\messaging\channels\DirectHTTPChannel.as:374] at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at flash.net::URLLoader/redirectEvent()
RE: [flexcoders] Re: Security error accessing url
I do not know this as a certainty, but I suspect when FB installs, it puts itself in a trusted sandbox/folder. The trusted sandbox allows access to both local and network assets. Search the livedocs for security sandbox for more detail on that. Tracy From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Paul Barbieux Sent: Wednesday, March 21, 2007 6:48 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Security error accessing url Hi; The discussion about the security access on a web service contains a lot of responses and solutions. But I don't find any explanations about the question number 1: why we have no access problem when we test our application in the Flex Builder environment, and then we receive a lot of security access problem when the application run on clients ? So, what is the difference between the Flash application running in Flex Builder and this Flash running out of this environment ? Is that means that in Flex Builder the Flash application doesn't access the famous crossdomain.xml ?! I think that this diffrence between the development and the client environment is a great problem for Flex devloppers ! It means that if our application runs on our computer, we have no garanty that it's ok for clients !
RE: [flexcoders] Re: Security error accessing url
When you launch a FB SWF from the file system, it has been set up to run in local-with-networking security mode. This most closely resembles the environment you will run in on the web. The folders in your projects directories are trusted, otherwise you'd get security errors accessing jpgs in your assets folder and what not. Unfortunately, there is no domain when you're launched off the file system so we can't use crossdomain.xml to filter out what's ok. However, there are so many degrees of difference between running off the file system vs the web that the only true test of your app is when you deploy it to a server. There you will not only find security permissions issues, but also whether you copied all other external assets properly, timing issues involving download times and asynchronicity etc. For example, when your app loads another SWF, in local mode the SWF is guaranteed to finish loading before the next frame. On the net it isn't. It would be great if we could block remote-server permissions according to crossdomain.xml, so you could see what you can and can't get to right away, but a couple of rules of thumb are to 1) do quick prototypes and deploy them to make sure you have permission, and/or 2) assume you don't have permission to anything remote. -Alex From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Tracy Spratt Sent: Wednesday, March 21, 2007 11:19 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: Security error accessing url I do not know this as a certainty, but I suspect when FB installs, it puts itself in a trusted sandbox/folder. The trusted sandbox allows access to both local and network assets. Search the livedocs for security sandbox for more detail on that. Tracy From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Paul Barbieux Sent: Wednesday, March 21, 2007 6:48 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Security error accessing url Hi; The discussion about the security access on a web service contains a lot of responses and solutions. But I don't find any explanations about the question number 1: why we have no access problem when we test our application in the Flex Builder environment, and then we receive a lot of security access problem when the application run on clients ? So, what is the difference between the Flash application running in Flex Builder and this Flash running out of this environment ? Is that means that in Flex Builder the Flash application doesn't access the famous crossdomain.xml ?! I think that this diffrence between the development and the client environment is a great problem for Flex devloppers ! It means that if our application runs on our computer, we have no garanty that it's ok for clients !
RE: [flexcoders] Re: Security error accessing url
I'm New to all this, so your suggesting that all the flex swf's are routed through a proxy (proxy.xml), and that xml doc just contains yout proxy settings (ip, ports etc). Thats called in your mx: application? Shaun _ From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Paul DeCoursey Sent: 14 March 2007 02:39 To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Security error accessing url Proxy is your solution. counterfeiting a corssdomain file is inadvisable difficult and probably impossible to do on a large scale deployment. The only ways I can think do it would require great effort and would need other software to be installed on the client machine to pull it off. Plus that kind of hackery just isn't cool. Also I'm not sure anyone is really against the proxy solution, it would just be faster to go direct to the source. Another idea if you don't want or can't do the proxy server, you could be bold and do an ajax proxy. I'm not sure how much data can be passed via the External Interface, but you certainly could pass xml back and forth that way. Given enough motivation I could come up with a working example. p --- In [EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com, André Rodrigues Pena [EMAIL PROTECTED] wrote: If people are against the proxy application.. what's the better solution? (since I can't see how can I counterfeit a crossdomain file in a external and not-accessible server) On 3/12/07, Troy Gilbert [EMAIL PROTECTED] wrote: Ahh, yes, but if all of your clients go through your proxy server then on to the eventual non-crossdomain.xml server, then that server admin sees that there are a huge amount of requests originating from your proxy server and he can throttle it as appropriate. If the requests come directly from the clients, then he has potentially thousands of different points of entry to throttle. But I do agree with your point... in general, I'd like to see Flash *at a minimum* have all of the read-only access that the web browser has. It infuriating when some AJAX code can access stuff more easily than Flash... that just *feels* backwards to me, and I think it ultimately hurts Flash's use for some cases. Troy. On 3/12/07, Paul DeCoursey [EMAIL PROTECTED] wrote: --- In [EMAIL PROTECTED] mailto:flexcoders%40yahoogroups.com ups.com flexcoders%40yahoogroups.com, Alex Harui aharui@ wrote: It doesn't provide any benefit to you, it provides benefit to the server owner. Once all of your clients are hammering your server to get to the proxy to the remote-server, then you have the first chokepoint for traffic instead of the remote-server owner who may or may not have intended to allow that much extra traffic. I understand the thinking, but if I can easily create a proxy around the crossdomain file then they've lost that avenue. It's easier to throttle access using firewalls or acls, which they will end up having to do anyway. The security rules are also intended to make sure we don't become the ultimate spyware and virus development platform. If we did, everyone would be afraid to download the player and/or run these applications. If you can find a way to spoof the crossdomain.xml from a remote server, please let us know. I don't think I'll put any effort to finding out how to do it since I don't ever plan on using crossdomain files since I already have a working proxy solution. -Alex -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
RE: [flexcoders] Re: Security error accessing url
The idea is the server (our web server) process the request to non-crossdomain.xml serverand return back the result to flex.In basic Flex --- OurWebserver Page -- non-crossdomain.xml server OurWebserver Page Result -FlexI implement this to get rss feed from non-crossdomain.xml serverI use PHP on server side and it works. To: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Wed, 14 Mar 2007 08:16:46 +Subject: RE: [flexcoders] Re: Security error accessing url I'm New to all this, so your suggesting that all the flex swf's are routed through a proxy (proxy.xml), and that xml doc just contains yout proxy settings (ip, ports etc). Thats called in your mx: application? Shaun From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Paul DeCourseySent: 14 March 2007 02:39To: [EMAIL PROTECTED]: [flexcoders] Re: Security error accessing url Proxy is your solution. counterfeiting a corssdomain file isinadvisable difficult and probably impossible to do on a large scaledeployment. The only ways I can think do it would require great effortand would need other software to be installed on the client machine topull it off. Plus that kind of hackery just isn't cool. Also I'm notsure anyone is really against the proxy solution, it would just befaster to go direct to the source.Another idea if you don't want or can't do the proxy server, you couldbe bold and do an ajax proxy. I'm not sure how much data can be passedvia the External Interface, but you certainly could pass xml back andforth that way. Given enough motivation I could come up with aworking example.p--- In flexcoders@yahoogroups.com, André Rodrigues Pena[EMAIL PROTECTED] wrote: If people are against the proxy application.. what's the bettersolution? (since I can't see how can I counterfeit a crossdomain file in aexternal and not-accessible server) On 3/12/07, Troy Gilbert [EMAIL PROTECTED] wrote: Ahh, yes, but if all of your clients go through your proxyserver then on to the eventual non-crossdomain.xml server, then that serveradmin sees that there are a huge amount of requests originating from yourproxy server and he can throttle it as appropriate. If the requests comedirectly from the clients, then he has potentially thousands of different pointsof entry to throttle. But I do agree with your point... in general, I'd like to seeFlash *at a minimum* have all of the read-only access that the web browser has. It infuriating when some AJAX code can access stuff more easily thanFlash... that just *feels* backwards to me, and I think it ultimately hurtsFlash's use for some cases. Troy.On 3/12/07, Paul DeCoursey [EMAIL PROTECTED] wrote: --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, Alex Harui aharui@ wrote: It doesn't provide any benefit to you, it provides benefit to the serverowner. Once all of your clients are hammering your server toget to theproxy to the remote-server, then you have the first chokepoint for traffic instead of the remote-server owner who may or may not have intended to allow that much extra traffic. I understand the thinking, but if I can easily create a proxy around the crossdomain file then they've lost that avenue. It's easier to throttle access using firewalls or acls, which they will end uphaving to do anyway. The security rules are also intended to make sure we don'tbecome theultimate spyware and virus development platform. If we did,everyonewould be afraid to download the player and/or run theseapplications. If you can find a way to spoof the crossdomain.xml from a remote server,please let us know. I don't think I'll put any effort to finding out how to do itsince I don't ever plan on using crossdomain files since I already have a working proxy solution. -Alex -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE
Re: [flexcoders] Re: Security error accessing url
If people are against the proxy application.. what's the better solution? (since I can't see how can I counterfeit a crossdomain file in a external and not-accessible server) On 3/12/07, Troy Gilbert [EMAIL PROTECTED] wrote: Ahh, yes, but if all of your clients go through your proxy server then on to the eventual non-crossdomain.xml server, then that server admin sees that there are a huge amount of requests originating from your proxy server and he can throttle it as appropriate. If the requests come directly from the clients, then he has potentially thousands of different points of entry to throttle. But I do agree with your point... in general, I'd like to see Flash *at a minimum* have all of the read-only access that the web browser has. It infuriating when some AJAX code can access stuff more easily than Flash... that just *feels* backwards to me, and I think it ultimately hurts Flash's use for some cases. Troy. On 3/12/07, Paul DeCoursey [EMAIL PROTECTED] wrote: --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, Alex Harui [EMAIL PROTECTED] wrote: It doesn't provide any benefit to you, it provides benefit to the server owner. Once all of your clients are hammering your server to get to the proxy to the remote-server, then you have the first chokepoint for traffic instead of the remote-server owner who may or may not have intended to allow that much extra traffic. I understand the thinking, but if I can easily create a proxy around the crossdomain file then they've lost that avenue. It's easier to throttle access using firewalls or acls, which they will end up having to do anyway. The security rules are also intended to make sure we don't become the ultimate spyware and virus development platform. If we did, everyone would be afraid to download the player and/or run these applications. If you can find a way to spoof the crossdomain.xml from a remote server, please let us know. I don't think I'll put any effort to finding out how to do it since I don't ever plan on using crossdomain files since I already have a working proxy solution. -Alex -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
Re: [flexcoders] Re: Security error accessing url
I understand your point Paul.. it makes sense On 13 Mar 2007 19:38:40 -0700, Paul DeCoursey [EMAIL PROTECTED] wrote: Proxy is your solution. counterfeiting a corssdomain file is inadvisable difficult and probably impossible to do on a large scale deployment. The only ways I can think do it would require great effort and would need other software to be installed on the client machine to pull it off. Plus that kind of hackery just isn't cool. Also I'm not sure anyone is really against the proxy solution, it would just be faster to go direct to the source. Another idea if you don't want or can't do the proxy server, you could be bold and do an ajax proxy. I'm not sure how much data can be passed via the External Interface, but you certainly could pass xml back and forth that way. Given enough motivation I could come up with a working example. p --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, André Rodrigues Pena [EMAIL PROTECTED] wrote: If people are against the proxy application.. what's the better solution? (since I can't see how can I counterfeit a crossdomain file in a external and not-accessible server) On 3/12/07, Troy Gilbert [EMAIL PROTECTED] wrote: Ahh, yes, but if all of your clients go through your proxy server then on to the eventual non-crossdomain.xml server, then that server admin sees that there are a huge amount of requests originating from your proxy server and he can throttle it as appropriate. If the requests come directly from the clients, then he has potentially thousands of different points of entry to throttle. But I do agree with your point... in general, I'd like to see Flash *at a minimum* have all of the read-only access that the web browser has. It infuriating when some AJAX code can access stuff more easily than Flash... that just *feels* backwards to me, and I think it ultimately hurts Flash's use for some cases. Troy. On 3/12/07, Paul DeCoursey [EMAIL PROTECTED] wrote: --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.comflexcoders%40yahoogroups.com, Alex Harui aharui@ wrote: It doesn't provide any benefit to you, it provides benefit to the server owner. Once all of your clients are hammering your server to get to the proxy to the remote-server, then you have the first chokepoint for traffic instead of the remote-server owner who may or may not have intended to allow that much extra traffic. I understand the thinking, but if I can easily create a proxy around the crossdomain file then they've lost that avenue. It's easier to throttle access using firewalls or acls, which they will end up having to do anyway. The security rules are also intended to make sure we don't become the ultimate spyware and virus development platform. If we did, everyone would be afraid to download the player and/or run these applications. If you can find a way to spoof the crossdomain.xml from a remote server, please let us know. I don't think I'll put any effort to finding out how to do it since I don't ever plan on using crossdomain files since I already have a working proxy solution. -Alex -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
Re: [flexcoders] Re: Security error accessing url
Roman, You will have to write a proxy, this is a PHP example for yahoo services http://developer.yahoo.com/javascript/samples/proxy/php_proxy_simple.txt On 3/9/07, Paul DeCoursey [EMAIL PROTECTED] wrote: Maybe I've been misinformed but doesn't the cross domain file need to be one the server that serves the swf file? --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, rzilist [EMAIL PROTECTED] wrote: How to get around this error? I've written small Flex application to retrieve stock info in exchange for company symbol. I've used Eclipse with Flex plugin. Inside the app, I'm calling webservice on quote.yahoo.com website. I can load the html page which references the swf file (by either running it from within Eclipse, or by opening it in both IE and Firefox). This works fine, and I get some stock data back. However, if I try serving the page from one of my local servers, or even copying it (along with other supporting files) to other location on my hard drive, loading the same page results in an Security error accessing url from my Adobe Flash Player 9. I've even tried to use a straight HTTP post instead of a webservice call, but to no avail. Now, I know that in order to access the data on the domain other than the one my app is running on, Adobe Flash Player requires crossdomain.xml file to be on the data server root. Yahoo indeed hosts this file at http://quote.yahoo.com/crossdomain.xml, but it only has a few entries. I simply want to read company stock info from publicly exposed service, but I see no way of adding the domain name to their crossdomain file each time someone wants to read a stock info. Any help is appreciated. Roman -- André Rodrigues Pena LOCUS www.locus.com.br Blog www.techbreak.org
