Loading policy files

Similar Messages

• XMLSocket "Failed to load policy file" error

  I am trying to use an XMLSocket.swf file, and it is not connecting.  Do I need to open up a port on my server?  I am trying to run this on a dedicated remote Windows 2008 server.
  Here is the error from FlashFirebug:
       OK: Root-level SWF loaded: file:///C|/Users/vcaadmin/AppData/Roaming/Mozilla/Firefox/Profiles/70vbx4ys.default/exten sions/flashfirebug%40o%2Dminds.com/chrome/content/flashfirebug.swf
      OK: Root-level SWF loaded: http://speak-tome.com/flash/XMLSocket.swf
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at xmlsocket://speak-tome.com:9997 by requestor from http://speak-tome.com/flash/XMLSocket.swf
      Error: Failed to load policy file from xmlsocket://speak-tome.com:9997
      Error: Request for resource at xmlsocket://speak-tome.com:9997 by requestor from http://speak-tome.com/flash/XMLSocket.swf has failed because the server cannot be reached.
  My crossdomain.xml is saved to the root of the web directory and looks like:
      <?xml version="1.0"?>
      <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
      <cross-domain-policy>
      <site-control permitted-cross-domain-policies="master-only"/>
      <allow-access-from domain="*"/>
      <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
      </cross-domain-policy>
  I notice that both ports 843 and 9997 are closed for my domain (speak-tome.com - 72.167.253.16) when I check using a service such as yougetsignal.com/tools/open-ports.  Do I need to get these ports open to get the policy file to work?

  As a test, I uploaded my Flash/Gaia site into an existing site on my old host.  And although the site actually works in this setting, when I run things in the FlashPlayerDebugger, I'm still getting Security Sandbox Violations - so (as adninjastrator suggested in earlier post), this may have nothing to do with the DNS changes - but perhaps with my setting things up wrong somewhere so that the Flashplayer is trying to access my local computer - maybe??
  Debugger logs gives me this:
  Error: Failed to load policy file from xmlsocket://127.0.0.1:5800
  Error: Request for resource at xmlsocket://127.0.0.1:5800 by requestor from http://recreationofthegods.com/bin/main.swf has failed because the server cannot be reached.
  *** Security Sandbox Violation ***
  So, I've now uploaded the identical bin (which contains all the files for my site) - but I'm getting different behaviors on the two hosts.
  On the new holistic servers, the site won't go past the first page:  www.yourgods.com
  On the 1&1 servers, I still get runtime errors in FlashPlayerDebugger - but the site runs ok - http://www.RecreationOfTheGods.com/bin/index.html
  Posting those links in hopes someone with more experience in these sandbox issues can help steer me in the right direction.

• Signed applets called from javascript - how/where to load policy file?

  I'm running into some apparently well-known problems with signed applets accessing a client machine's hard drive.
  So, I can get things to work if I place the following two lines in my 'local' JDK installation:
  permission java.io.FilePermission "${user.home}/x.properties", "read,write";
  permission java.util.PropertyPermission "user.home", "read";These let me a) read the user's home directory and b) read/write a file that's located there.
  What I don't want to do is edit the java.policy file, but I'm having problems loading a separate policy file. The app server we run with our product is jetty, and I'm assuming I would be passing in the '-Djava.security.policy=='filename' with the other jetty start-up parameters- is this a correct assumption? And, what path do I give for the file, will I need to put it somewhere in the .war file we distribute, or in the JDK installation on the server? If it's on the server, will client machine's know about these extra rights?
  I'd REALLY appreciate any help I could get on this...
  thanks in advance,
  +0^^

  Maybe you didn't realize but my previous post was sarcastically ment:
  "hello SUN security stop bugging me in writhing this malicious program"
  and
  "hello SUN security, I'm a good boy now trust what I'm doing"
  Are in a practical sense exactly the same.
  SUN should either remove the stack check or the doprivileged. The stack check takes up
  valuable resources for nothing since a malicious program can easily circumvent that.
  Your post about a malicious user abusing your (CA) signed applet to ruine someone's
  system is correct, it would not be difficult. A CA signed applet will not even ask a user to
  trust or not. This is one of the reasons we have the usepolicy in affect, but this cannot be
  used on "grandma's old PC" since it's too complicated for users to do such things.
  YOU seem to be the one to blame, not the hacker! (The user accepted YOUR
  certificate!).Actually you are to blame, because you made software that exposes a vonurability
  other people can take advantage of.
  what you can do before calling the doprivileged private method is check the call stack.
  So your signed applet has a public method checking the callstack, if this lookes OK
  that method will call the private doprivileged method.
  Here is the example
  package t;
  import java.util.Properties;
  import java.applet.Applet;
  public class test extends Applet {
           public test(){
                 startingPrivileged();
           public void startingPrivileged(){
                 System.out.println("this is the stack");
                 try{
                      throw new Exception("get the call stack");
                 }catch(Exception e){
                      StackTraceElement stack[] = e.getStackTrace();
                      for (int i=0; i<stack.length; i++) {
                           System.out.println("file: " + stack.getFileName() + " method: " + stack[i].getMethodName() + " class: " + stack[i].getClassName() + " at " + new Integer(i).toString());
                      // this is a really simple check to see if this method was started from the t. package
                      // a good hacker can just create it's own package named t and take advantage of this method
                      // if this method was started from the same package there is no reason to make this method
                      // public, protected would work.
                      // there must be a better way to check if this method was called by "your" or "trusted" code
                      if(stack[1].getClassName().startsWith("t.")){
                           dosomePrivileged();
            private void dosomePrivileged(){
                 System.out.println("this is the method that does privileged stuff");
       public static void main(String args[]) {
            new test();

• Catching policy file errors in try/catch

  Hi,
  I have a socket policy server that works just fine.
  If however the page is loaded and the socket policy server isn't running, I want to be able to catch the error.
  Here is an example:
  try{
       Security.loadPolicyFile("xmlsocket://127.0.0.1:9876");
       stomp.connect("127.0.0.1", 61613, ch);//causes an attempt at socket communication
  } catch (e) {
       Alert.show("a real error","title");
  } finally {
       trace("finally....");
  When this runs, I never see the Alert. I do see the "finally...." message in my console., and then the actual error messages:
  Error: Failed to load policy file from xmlsocket://127.0.0.1:9876
  Error: Request for resource at xmlsocket://127.0.0.1:61613 by requestor from xxxx has failed because the server cannot be reached.
  *** Security Sandbox Violation ***
  Connection to 127.0.0.1:61613 halted - not permitted from xxxxx
  Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: xxx cannot load data from 127.0.0.1:61613.
          at org.codehaus.stomp::Stomp()[C:\Users\wischusen\Documents\FlexBuilderProjects\Stomp\org\co dehaus\stomp\Stomp.as:52]
  I just want to catch the error and prompt the user to turn on their socket server. How do I do that?

  Okay, that sort of worked.
  It's not an ideal solution because I am using a third party library (STOMP) and I don't want to edit that library. I don't have control over the private socket that it uses internally.
  So what I did was just create a socket solely for the purpose of trying to catch this error.
  Unfortunately I have to wait 22 seconds for the alert to pop up. This might have something to do with the timeout referenced here:
  http://livedocs.adobe.com/flex/3/langref/flash/system/Security.html#loadPolicyFile()
  But that's only supposed to be three seconds.
  It's weird because the player knows right away that the socket server is down--it tells me so in the log (actually--it does so on my work machine but not at home--perhaps due to different versions of the debug player). But I can't hook into that apparently.
  Here is what I am doing, BTW:
  Security.loadPolicyFile("xmlsocket://127.0.0.1:9876");
  var sock:Socket = new Socket();
  sock.addEventListener(IOErrorEvent.NETWORK_ERROR, errorHandler);
  sock.addEventListener(IOErrorEvent.IO_ERROR, errorHandler);
  sock.addEventListener(ErrorEvent.ERROR, errorHandler);
  sock.addEventListener(SecurityErrorEvent.SECURITY_ERROR, errorHandler);
  sock.connect("127.0.0.1", 61613);
  private function errorHandler(event:ErrorEvent):void {
       trace("in error handler: " + event.text)
       Alert.show("in error handler: " + event.text, "title");
  Output of the trace is:
  in error handler: Error #2048: Security sandbox violation: http://xxx cannot load data from 127.0.0.1:61613.
  Now I would like to know why I have to wait 22 seconds for that message. Is there some other event I can listen for that might fire sooner?
  By the way, you can try this code yourself. It does not require that a socket server be running--in fact, you won't see the alert if there is a socket server running.
  Thanks for your help.
  Dan

• Load XML file from addon domain without cross-domain Policy file

  Hello.
  Assuming that there are two addon domains on the same server: /public_html/domain1.com       and      /public_html/domain2.com
  I try to load XML file from domain2.com into domain1.com without using cross-domain policy file (since it doesn’t work on xml files in my case).
  So the idea is to use php file in order to load XML and read it back to flash.
  I’ve found an interesting scripts that seems to do the job but unfortunately I can't get it to work. In my opinion there is somewhere problem with AS3 part. Please take a look.
  Here are the AS3/PHP scripts:
  AS3 (.swf in www.domain1.com):
  // location of the xml that you would like to load, full http address
  var xmlLoc:String = "http://www.domain2.com/MyFile.xml";
  // location of the php xml grabber file, in relation to the .swf
  var phpLoc:String = "loadXML.php";
  var xml:XML;
  var loader:URLLoader = new URLLoader();
  var request:URLRequest = new URLRequest(phpLoc+"?location="+escape(xmlLoc) );
  loader.addEventListener(Event.COMPLETE, onXMLLoaded);
  loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHandler);
  loader.load(request);
  function onIOErrorHandler(e:IOErrorEvent):void {
      trace("There was an error with the xml file "+e);
  function onXMLLoaded(e:Event):void {
      trace("the rss feed has been loaded");
      xml = new XML(loader.data);
      // set to string, since it is passed back from php as an object
      xml = XML(xml.toString());
      xml_txt.text = xml;
  PHP (loadXML.php in www.domain1.com):
  <?php
  header("Content-type: text/xml");
  $location = "";
  if(isset($_GET["location"])) {
      $location = $_GET["location"];
      $location = urldecode($location);
  $xml_string = getData($location);
  // pass the url encoded vars back to Flash
  echo $xml_string;
  //cURLs a URL and returns it
  function getData($query) {
      // create curl resource
      $ch = curl_init();
      // cURL url
      curl_setopt($ch, CURLOPT_URL, $query);
      //Set some necessary params for using CURL
      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
     //Execute the curl function, and decode the returned JSON data
      $result = curl_exec($ch);
      return $result;
      // close curl resource to free up system resources
      curl_close($ch);
  ?>

  I think you might be right about permissions/settings on the server for php. Unfortunately I'm not allowed to adjust them.
  So I wrote my own script - this time I used file path instead of http address of the XML file.  It works fine in my case.
  Here it is:
  XML file on domain2.com:
  <?xml version="1.0" encoding="UTF-8"?>
  <gallery>
      <image imagePath="galleries/gallery_1/images/1.jpg" thumbPath="galleries/gallery_1/thumbs/1.jpg" file_name= "1"> </image>
      <image imagePath="galleries/gallery_1/images/2.jpg" thumbPath="galleries/gallery_1/thumbs/2.jpg" file_name= "2"> </image>
      <image imagePath="galleries/gallery_1/images/3.jpg" thumbPath="galleries/gallery_1/thumbs/3.jpg" file_name= "3"> </image>
  </gallery>
  swf  on domain1.com:
  var imagesXML:XML;
  var variables:URLVariables = new URLVariables();
  var varURL:URLRequest = new URLRequest("MyPHPfile.php");
  varURL.method = URLRequestMethod.POST;
  varURL.data = variables;
  var MyLoader:URLLoader = new URLLoader;
  MyLoader.dataFormat =URLLoaderDataFormat.VARIABLES;
  MyLoader.addEventListener(Event.COMPLETE, XMLDone);
  MyLoader.load(varURL);
  function XMLDone(event:Event):void {
      var imported_XML:Object = event.target.data.imported_XML;
      imagesXML = new XML(imported_XML);
     MyTextfield_1.text = imagesXML;
     MyTextfield_2.text = imagesXML.image[0].attribute("thumbPath");  // sample reference to attribute "thumbPath" of the first element
  php file on domain1.com:
  <?php
  $xml_file = simplexml_load_file('../../domain2.com/galleries/gallery_1/MyXMLfile.xml');  // directory to XML file on the same server
  $imported_XML = $xml_file->asXML();
  print "imported_XML=" . $imported_XML;
  ?>
  Regards
  PS: for those who read the above discussion: the first and the second script work but you must test which one is better in your situation. The first script will also work between two domains on different servers. No cross domain policy file needed.

• [svn:osmf:] 15114: Don't check policy file when loading SWFs.

  Revision: 15114
  Revision: 15114
  Author:   [email protected]
  Date:     2010-03-29 12:24:58 -0700 (Mon, 29 Mar 2010)
  Log Message:
  Don't check policy file when loading SWFs.  Don't import local SWFs into current security domain.
  Modified Paths:
      osmf/trunk/framework/OSMF/org/osmf/elements/ImageLoader.as
      osmf/trunk/framework/OSMF/org/osmf/elements/SWFLoader.as
      osmf/trunk/framework/OSMF/org/osmf/elements/loaderClasses/LoaderUtils.as

  If you managed to get to the point where the applet container is created (the "gray square"), but the form never appears then you can assume one or more of the following has occurred:
  1. The JRE crashed after startup. Many times, but not always, if such a crash occurs it will leave a JRE dump file on the desktop. Its content may help to identify the cause.
  2. The Forms runtime crashed at startup. Many times, but not always, a Forms dump file will be created on the server. Its content may help to identify the cause.
  3. The Forms runtime was unable to start at all. This can occur on unix systems when/if there is a resource or permissions issue. One of the more common causes is if the file descriptor (nofiles) value is set too low.
  4. The applet is actually running, but has attempted to display a dialog box and is awaiting your acknowledgement, but the box was wrongfully sent to the background behind the browser. A similar issue was reported in one of the JRE 1.6.0_xx series, however I don't recall which one. Uninstall your current version and install the latest which is 1.6.0_27
  There are other possibilities, but these are most common.
  I would recommend the following:
  1. Uninstall any JRE older than 1.6.0_27. Reboot. Install 1.6.0_27
  2. Set networkRetries=5 in formsweb.cfg
  3. Set FORMS_TIMEOUT to 15 (default). Setting to a high value as you have is not recommended and is rarely necessary.
  4. Verify that the test form works. For example:
  http://machine:port/forms/frmservlet?form=test
  5. It appears that you are trying to use WU_TEST_106.fmx. Instead, download an updated version of this file (the name has also changed)
  http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/196249.zip
  6. Ensure that you have compiled webutil.pll into .plx. Do not use an old version of this file. The installation will include one. If not, check for it in an installation that also includes the Builders.

• Error while loading WSDL File in Eclipse

  Hi Experts
  We are getting the following Error while Loading WSDL File in Eclipse.
  IWAB0399E Error in generating Java from WSDL:  WSDLException (at /wsdl:definitions/wsdl:portType/wsp:Policy): faultCode=INVALID_WSDL: Encountered unexpected element 'Policy'.:
  Please advice how to resolve it.
  Regards
  Prashant

  It seems that your WSDL is not well defined, you need to test your wsdl via WS-I compliance in order to check if the wsdl is well created, you can do this via soapui, just create a new project, import the wsdl file or set the URL, left click in the project and select check WS-I compliance, this tool will test your wsdl and gives you a detailed report of what might be the problem.

• File Access with unsigned Applet through editing the java.policy file

  I'am starting to lose my hair on this...
  I am trying to get an applet to run so that it can access the file system to move files on my local maschin. Because this applet is only running on my VM i can change the java.policy to avoid the signing of the applet.
  first of all, if i wrote in the java.policy file
  grant {
    permission java.security.AllPermission; 
  };everything is working perfekt.
  But I have not the intention to open the gates for any applet out there, so i want to limit the access to my applet. With every of the following versions I get at best an
  java.security.AccessControlException: access denied (java.io.FilePermission...
  My Setup
  My Java Version: jre1.6.0_02
  My applet is located unter the url
  http://admin.mydomain.com/applet.jar
  In Html i tryed the following different versions of loading the applet - none worked
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet codebase="http://admin.mydomain.com" name="shortcut" code="start.class" archive="applet.jar" width="0" height="0"></applet>
  <applet name="shortcut" code="start.class" archive="http://admin.mydomain.com/applet.jar" width="0" height="0"></applet>in java.policy i tryed following versions with every html applet load version
  grant codeBase "http://admin.x-press.de/-" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/+" {
    permission java.security.AllPermission; 
  grant codeBase "http://admin.x-press.de/applet.jar" {
    permission java.security.AllPermission; 
  };why is it with
  grant {
    permission java.security.AllPermission; 
  };working, and not with the other versions?
  i am almost bold now, please try to save my last hair from falling down.
  any suggestion would be nice
  thanks, feyyaz
  Message was edited by:
  feyyazdogu

  I read the mentioned documentation and your right, some of my versions were wrong, but after reading the doumentation again i came to following result which should had worked but didn't.
  java.policy
  grant codeBase "http://admin.mydomain.com/*" {
    permission java.security.AllPermission;
  HTML File
  <applet codebase="http://admin.mydomain.com/" name="shortcut" code="start.class" archive="applet.jar" height="0" width="0"></applet>if I am entering http://admin.mydomain.com/applet.jar i can download the jar, so the archive lays in the correct directory.
  what i am doing wrong? do i have to change an additional file somewhere else?

• Issues using multiple load-config files with ant

  Hello,
  Not sure if this is the correct place...
  I am creating an ant build script to compile our flex application. I am trying to use the default flex-config by doing <load-config filename="${flex.sdkPath}/frameworks/flex-config.xml"/> and project specific config file add the datavisualization module and any other libraries we might need in the future. I am trying to do this as I don't want to modify the flex-config.xml
  The issue I keep running into is I get a compiler error saying "unable to locate specified base class 'spark.comonents.application..". if I place the custome load-config file above the adobe default flex-config it gives errors stating it the "SeriesSlide" type
  <mxmlc file="${project.sourcePath}/FBApp.mxml"
           output="${project.output.binaryPath}/${project.output.fileName}.swf"
           locale="en_US"
           static-link-runtime-shared-libraries="false"
           static-rsls="false"
           use-network="true"
           accessible="false"
           debug="true">
           <load-config filename="${flex.sdkPath}/frameworks/flex-config.xml"/>
           <load-config filename="C:/Hudson/.hudson/jobs/FB 2.0 Flex/workspace/FBApp/FB-config.xml"/>
           <source-path path-element="${flex.sdkPath}/frameworks/libs"/>
           <source-path path-element="${project.sourcePath}"/>
           <library-path dir="${flex.path}/sdks/${flex.sdkVersion}/frameworks/locale/en_US"
              includes="*"/>
           <library-path dir="${project.libraryPath}"
              includes="*"/>
           <keep-as3-metadata name="Protected"/>
        </mxmlc>
  the following is my FB-config.xml
  <?xml version="1.0"?>
  <flex-config>
     <runtime-shared-library-path>
  <path-element>C:\Program Files\Adobe\Adobe Flash Builder 4 Plug-in\sdks\4.1.0\frameworks\libs/datavisualization.swc</path-element>
  <rsl-url>http://fpdownload.adobe.com/pub/swz/flex/4.1.0.16076/datavisualization_4.1.0.16076.swz</rsl-url>
  <policy-file-url>http://fpdownload.adobe.com/pub/swz/crossdomain.xml</policy-file-url>
  <rsl-url>datavisualization_4.1.0.16076.swz</rsl-url>
  <policy-file-url>.</policy-file-url>
     </runtime-shared-library-path>
  </flex-config>
  It seems to be that the first "load-config" ant runs into is the only one that gets used. When looking around the internet I have multiple cases of where people say they have successfully used multiple load-config files.
  This one in particular.
  http://flashdevelop.org/community/viewtopic.php?f=13&t=5629&view=previous
  If I had to guess on what was wrong I believe my FB-config.xml file is incorrect but I can't find an example of anyones custom configuration file.
  Any guidance would be apprecaited.

  I am embarrassed to say that your solution answered my question.
  I was about 10 min away from rewriting my Ant script to just use the mxmlc.exe directly instead of the mxmlc ant tag. I kept running into the -flex-config+=YourConfig.xml for the command line option but never saw the xml variant.
  http://blog.flexexamples.com/2008/12/21/using-a-custom-flex-configxml-file-in-flex-builder -3/
  http://livedocs.adobe.com/flex/3/html/help.html?content=configuring_environment_3.html
  Does Flex have any documenation that shows all the different tags that are available like the Ant documenation?
  http://ant.apache.org/manual/Tasks/delete.html
  Thanks at ton.

• Import a policy file in java 1.5

  Hi:
  The quesiton I am about to ask might not really relate to java programming...but I have no idea where else I can get help. I am an university student and my school use a online java submission system. In order to hand in my java programs, I need to set up a new policy so that I am able to up load the files. However, school hasn't been able to help people who use java 1.5 to fix the problem. Can somebody kindly help me solve the problem. Thank you for your time.
  here is the policy file which I have no idea where to put it
  grant codeBase "https://www.scs.carleton.ca/raven/-" {
  permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete";
  permission java.util.PropertyPermission "*", "read";
  grant codeBase "https://raven.scs.carleton.ca/-" {
  permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete";
  permission java.util.PropertyPermission "*", "read";
  };

  You can put it anywhere you like.
  Then in the command line where you start the application that needs to use it you do this:java -Djava.security.policy='whereveryouputit' ...Unless the application that needs to use it loads its security policies in some other way.

• What is this error in Event Viewer policy file "C:\Program Files (x86)\Citrix\ICA Client\Microsoft.VC80.MFCLOC.MANIFEST

  Hi,
  One of my users is using Citrix Receiver on windows 8.1
  Below is something I encountered while looking at her event viewer on her PC.
  Please advise if MFC80.DLL is corrupted or missing and how I can fix this.
  Activation context generation failed for "C:\Program Files (x86)\Citrix\ICA Client\MFC80.DLL".Error in manifest or policy file "C:\Program Files (x86)\Citrix\ICA
  Client\Microsoft.VC80.MFCLOC.MANIFEST" on line 5. Component identity found in manifest does not match the identity of the component requested. Reference is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".
  Definition is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762". Please use sxstrace.exe for detailed diagnosis.
  Thank you.
  Regards,
  Joshua Tay

  Hello Joshua Tay,
  Please take a look at the following thread similar to this issue.
  http://discussions.citrix.com/topic/326071-receiver-34-windows-8-sidebyside-error-starts-loading-then-exits/
  Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  As this issue is relate to Citrix, to receive better support, it is recommended to ask in the related forum.
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Cross domain policy file and BitmapData

  Hey guys and gals, I'm having an issue with a Security error
  when trying to access photos from an external site. I have a client
  who is at siteA.com, who wants to load in photos from siteB.com,
  siteC.com, and probably 100 other sites. He has permission to do so
  from the other sites, but doesn't want to go through all the
  trouble of asking each site to post a cross-domain policy file.
  Please correct me if I'm wrong, but the way I understand it is, if
  you want to simply load an image into a Loader object within a swf,
  you're ok, but if you want to access the BitmapData, you will then
  get a security error? My snippet of code that I believe is causing
  the security error is
  public function imageLoaded(e:Event):void {
  var image:Bitmap = Bitmap(e.target.loader.content);
  image.smoothing = true;
  imageContainer.addChild(e.target.loader);
  As you can tell, the reason why I want to access the Bitmap
  itself is to apply smoothing. That is my main concern, I want to be
  able to apply smooth transitions to these pictures that are loaded
  in from external sites. My main goal is to load images externally,
  then apply smooth transitions, so if you know of a way to get
  around the security violations, that would be great. The only
  work-around we have for this is to write a script that will load
  all the images from the external sites onto the local server, as
  this will be less work than getting the cross-domain policy file on
  each server (if that's what it takes). Thanks in advance for
  anybody who can shed some light on the subject.

  If I understand you correctly, a 'helper' swf would be on the
  site where the images are held, much like a cross-domain policy
  file? I don't understand how that would be much different than
  getting the external sites to add a cross-domain policy file on
  their server. It sounds easier to just throw the cross-domain
  policy file on the external site's server with '*' for the path of
  allowed directories to load images from. I'm pretty new to the
  cross-domain security issue, so I'm not sure. I don't understand
  why it's a security risk to access the pixels of an image either...
  anybody know about that? Just trying to figure out where to go from
  here on this project. Thanks for the reply GWD, still looking for
  some more feedback.

• Flex caching policy files in error?

  Hello,
  I am using the XMLSocket() class to send and receive XML content from a java socket program.  If I start the flex applicaion before the java app comes online then I get a SecurityErrorEvent.SECURITY_ERROR - which is OK.  But I have retry logic in Flex such that it will continue to try and connect (I am using a timer to retry).  Trouble is that once I start the java applicaion I still get the same SECURITY_ERROR, even when the socket and policy file are available.
  So it would seem that Flex is caching the URL of my XMLSocket() with no policy file, because when it first tryed to load the policy file there was no response.  And it never tries to load the policy file again.  Even if I try to force it with the Security.loadPolicyFile call it still wont pick it up.
  My java program returns the policy file from the XMLSocket directly.  Also it seems that if I stop the java program after flex has made the initial connection then the Flex applicaion can recover (so it seems that it is very importaint that flex have the policy file available the first time it is requested, as it gets cached for the life of the Flex runtime thereafter).
  Seems like a bug to me...  I can work arround this by ensuring the initial connection is OK before I let the user into the applicaion, but I would think Flex could fix this.

  I had to uninstall all of FLEX and the cfeclipse items
  including cleaning out the registry (PC) then reinstall. it is such
  a shame because cfeclipse is a very nice plug-in, I hate having
  another window for my CF editing.

• Signed applets (are policy files needed!)

  I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
  Is this the expected behavior?
  I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.

  I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
  Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
  Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
  There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
  Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
  The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
  RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
  In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
  I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.

• Granting different permissions to different codebases : policy file problem

  Hi all. I'm having a bit of a problem with policy files and granting different persmissions to different codebases. What I have at the moment is a server app that copies a class file from the client to a specified directory on the server, and then dynamically loads and runs that class. This all works fine, but obviously as user submitted code is going to be run on the server I want to restrict what they are allowed to do. My app is going to be bundled up in a single jar file, and the directory that the client code is being copied to a subdirectory of the app installtion (not that this should make much difference). What i want to do is grant all permissions to my code in the jar file and resrict the permssions granted to code in the strategies directory. I assumed i would just be able to do this using my own policy file, but at the moment i'm not having much luck.
  Directory structure:
  c:/project/code/
  |
  |-labyrinth.jar
  |-strategies/
  Contents of labyrinth.policy:
  grant codeBase "file:../code/labyrinth.jar" {
  permission java.security.AllPermission;
  Command line arguments:
  java -Djava.security.manager -Djava.security.policy==./labyrinth.policy -classpath .;./labyrinth.jar;./strategies/;%CLASSPATH%; labyrinth.LabyrinthServer
  I've tried specifiying the absolute path to the jar file in the policy file as well as the relative path, i've tried including -Xbootclasspath/a and appending the jar file. All I seem to be able to manage though is either granting all permissions system wide, including the strategies dir, or none and getting security exceptions within my code. Anyone tried doing anything similair or got any idea where I might be going wrong? Any help would be appreciated as its really starting to doing my head in.
  TIA. Matt.

  Did you try putting a slash at the beginning of your "file" specification? e.g., instead of saying
  grant codeBase "file:../code/labyrinth.jar" {
  permission java.security.AllPermission;
  say
  grant codeBase "file:/../code/labyrinth.jar" {
  permission java.security.AllPermission;
  Hope this helps.