Flash Security Policy Solution

Problem:

When studying the flash game Programming Tutorial game instance rush out of the encirclement, the game can run normally after running the client and socket service programs directly. However, after the Flash file is published as a webpage, the game cannot continue to run by copying and modifying the crossdomain. xml file and placing the relevant file in the IIS root directory. When other monitoring tools are used for viewing, the server will receive an error message <policy-file-Request/>.

Cause:

After Adobe Flash Player is upgraded to 9.0.124, due to changes in the security policy, in the socket or xmlsocket application, the original means of loading the security policy through HTTP cannot be used, similar applications must use xmlsocket: // to provide security policies.

Analysis:

The security policy detection process of Flash Player is as follows:

1. First, check whether port 843 of the target server provides a security policy.
2. If 1 does not detect a policy, it will check whether security is used in the event. loadpolicyfile (xmlsocket: //) provides a security policy. If no security policy is detected, use step 1.
3. Check whether the target port of the target server provides a security policy.

If none of the above checks are successful, the socket or xmlsocket rejects connection to the target server.

Solution:

Based on the above analysis, there are three solutions

Method 1:

Bind port 843 to the game server. when listening to the request and forwarding the Security Policy, send the following security policy content:
<Cross-domain-Policy> <site-control permitted-Cross-Domain-policies =/"All/"/> <allow-access-from domain =/"xxx.com/" -ports =/"8999/"/> </Cross-Domain-Policy>/0
Remember to add/0 next to it. Otherwise, flash will think that the data has not been received. Everything is OK.

The official website also provides configuration methods in a specific server environment, which is cumbersome.

Http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html

Method 2:

In the xmlsocket derived class of the flash client, security. loadpolicyfile ("xmlsocket: // www.xxx.com: Port") is used to add the server address that provides the security policy. (Of course, it can also be the same machine as the game server. A large game architecture should have a dedicated server, because it can also play a role in load balancing) the content forwarded by the server that provides the security policy should be consistent with that forwarded by method 1.

Method 3:

When the game Server accepts socket binding, it sends the security policy content to the client. I directly modified the server program provided by the tutorial, run the game, and everything is OK. Here is the link.

Modified classes

Complete Solution

 

Game running interface:

 

 

Discussion:

Question 1: What kind of game instances can run normally without being published as Web pages?

A: Check the Messager code and find that the method for loading the server security policy is security. loadpolicyfile ("127.1.1.1/crosadomain. XML "); you will find that it is not" http: // "or" xmlsocket. Game instance communication uses the xmlsocket method, so it must use the socket method to obtain the policy content. "Http: //" is supported before flashplayer9.0, but not later than 9.0. I have also tested the "HTTP" method to obtain the policy content, it does not work. Unless your game is designed based on the HTTP method, but the client must rely on the polling method to obtain data, this method is too flawed and has been gradually eliminated.

Question 2: How does a large web game deploy a policy file?

A: If it is possible to design a large web game, consider supporting multiple flashplay versions as much as possible. It should have crosadomain on the virtual directory. XML policy file, that is, it supports the old HTTP and socket methods. I am not a gaming company. Today I went to "Tank Battle" and tested it. I can download this file. The specific architecture needs answers from professionals. Haha