Flash Security Policy Solutions

A lot of people in the process of dealing with security policy problems, I also summed up some experience for your reference. In Flash Player 9.0.124.0 and later versions, the socket policy file is required for any socket connection. That is, a socket policy file is required on the target host regardless of which port is connected, even if the port on the same host that provides the SWF file is connected. Connection steps:

0. The file system does not request policy files, whether below or above 1024 ports, that are not requested on a network basis.
1. first send a null-terminated <policy-file-request/> message, check the server 843 port for Security policy files, the policy file format is:
<cross-domain-policy>
<allow-access-from domain= "*" to-ports= "80-9000"/>
</cross-domain-policy>
When the policy file is sent back, it is necessary to end with 0, if the 843 port in 3 seconds did not request to the policy file or the To-ports configured port does not allow links, then break the link throw securityerror, this is the Flash initiative.
2. If your client socket or Xmlsocket connection is set Security.loadpolicyfile ("xmlsocket://Service Address: Application Port"), connect your application target port to request security policy files. Requests and responses are not set as above, and are not requested. The request was made before the Connect was invoked.
3. If you are HTTP request way to set Security.loadpolicyfile ("http://Service Address/crossdomain.xml "), crossdomain.xml the contents of the file as above, placed in the site root directory on the line. For example, Mop'sHttp://www.mop.com/crossdomain.xml

Solution 1: use Adobe official files directly on the server's 843 port to establish a service, so the fastest response, but for the deployment of the application is a problemhttp://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html

Solution 2: The client must add Security.loadpolicyfile ("xmlsocket://Service Address: Application Port"), handle on the private protocol on the server application port, the general protocol is length + type + data, This determines the length of the 0x3c70 type 0x6c69, handling the message alone, but still has an impact on its own private protocol processing.
Why is this length and type look at the diagram:

Solution 3: handle 843 ports separately on service applications, and split the services from other applications:

2. //Security Policy Services
4. Public void startpolicyserver () throws ioexception{
6. Ioacceptor acceptor = New   Niosocketacceptor ();
8. Acceptor.sethandler (new Policyserverhandler ());
10. Acceptor.bind ( new inetsocketaddress (843));
12. System.out.println ("Security Policy Service Listening port: 843");
14. }   
16. //Other application services   
18. ..................   
20. ..................   
22.   
24.   
26. //individual security policy processor
28. Public class policyserverhandler extends iohandleradapter {
30. //22 bytes +0 for 1 bytes
32. String security_quest = "<policy-file-request/>";
34. //End with 0
36. String policystr = "<cross-domain-policy>rn<allow-access-from   To-ports= ' "80-9000" ' domain= ' "*" "/>rn </cross-domain-policy>rn";
38. private final Logger log = Logger.getlogger (Policyserverhandler. class   . GetName ());
40.        
42. public void Messagereceived (iosession session, object< /c22> message )
44. throws Exception {
46. Iobuffer processbuf = (iobuffer) session.getattribute ("Processbuf");
48. Processbuf.put ((iobuffer) message);
50. Processbuf.flip ();
52.                        
54. if(Getrequest (processbuf)) {
56. byte[] reps = policystr.getbytes ("UTF-8");
58. Iobuffer RB = Iobuffer.allocate (reps.length);
60. rb.put (reps); //There are also putstring methods   
62. Rb.flip ();
64. Session.write (RB); //Send back   
66. Log.info ("Send Policy");
68.         }   
70.     }   
72.        
74. //Get the security request string
76. private Boolean getrequest (Iobuffer buf) {
78. string req = new string(Buf.array ());
80. if (Req.indexof (security_quest)!=-1) {
82. return true;
84.          }   
86. return false;
88.     }   
90. @Override
92. public void Messagesent (iosession session, Object message ) throws Exception {
94. Session.close (true);
96.     }   
98.   
100. @Override
102. public void sessionclosed (Iosession session) throws Exception {
104. Super. sessionclosed (session);
106. Session.removeattribute ("Processbuf");
108.     }   
110.   
112. @Override
114. public void sessioncreated (Iosession session) throws Exception {
116. Super. sessioncreated (session);
118. Iobuffer processbuf = iobuffer.allocate (64);
120. Session.setattribute ("Processbuf", Processbuf);
122.     }   
124.   
126. }

Note:

1 mina2.x compared to 1.x more efficient, abandoned the original Btyebuffer, wrote a new Iobuffer, for the following reasons:
It doesn ' t provide useful getters and putters such as fill, get/putstring, and Get/putasciiint () enough.
It is difficult to write variable-length the data due to its fixed capacity
2 Demux under the Demuxingprotocolcodecfactory and Messagedecoder functions more perfect, decodable judge whether can parse the data, decode parse the actual data, in handling the private agreement is simpler
3 FLASH10 Socket Class New Add Timeout property indicates the number of milliseconds to wait when establishing a connection