|
SecurityInformation
# Some basic security information. As of Flash Player 9.0.124.0, Sockets are not allowed to make requests to ports on the same, or other domains, unless the domain you are connecting to is serving a socket policy file. Prior to 9.0.124.0, a crossdomain.xml file would work just fine. Now, however, you need to setup a server socket on port 843, that listens for socket connections from flash, and serves a socket policy file. Here is the absolute simplest configuration for the socket policy file: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" to-ports="3306" /> </cross-domain-policy> The policy file needs to be served from a socket, listening on port 843 (TCP). Flash will send the request " <policy-file-request></policy-file-request>\0", when the server receives this string, it should return the policy file, followed by a null byte. Java Policy File Server: See JavaPolicyFileServer wiki entry. PHP Flash Policy Daemon: http://ammonlauritzen.com/blog/2008/04/22/flash-policy-service-daemon/ C# Flash Policy Server: http://giantflyingsaucer.com/blog/?p=15 VB.NET Flash Policy Server: http://www.gamedev.net/community/forums/topic.asp?topic_id=455949 Python / Perl Flash Policy Servers: http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html More Information: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_04.html |
► Sign in to add a comment
nice adobe. you Need root server rights to install this on your server. or somebody got a different solution?
Has anyone seen a solution that works with python 2.4?
This script in Perl is very helpfull: http://www.lightsphere.com/dev/articles/flash_socket_policy.html
Has anyone tried setting up a Flash Policy Server using Amazon's EC2 service.
My only concern about this wonderful library is that I'm writing my username and password to connect to the database inside my AIR application... how secure is this? how well protected is the source? I know this is definetly a HUGE RISK for Flex applications as anyone can decode the SWF file... but how secure is in AIR?
@nimnrod Get the information through a webservice call or something with the first initial run and save it in the build in SQLite db, so in that way username/passwords are not hardcoded and you can change those settings every now and then and let the app check if there are new settings yes or no through the webservice (or whatever datasource you want to use).
And what will stop the user who decode the swf to do the same? The AS is executed on the users machine ... one or other way the information about the login is on the users machine. So he can see it. Maybe the basic user will not be able to ... but the bad guys are not basic users :)
For security I use Zend AMF to put some layer of protection between client and db. Can anyone provide a use case for this lib instead of remoting? I am genuinely curious.