Security Permissions Violation in my application

Similar Messages

• Security Sandbox Violation when calling a remote service from a worker

  From my application, I make calls to a BlazeDS server, that works fine.
  I added a worker that calls the same services on the same server. But then, only for the calls from the worker, I have a Security Sandbox Violation error. I launch the application from FB in debug mode.
  This is the message :
  Error: [strict] Ignoring policy file at http://xxxxxxxxxxxx/crossdomain.xml due to incorrect syntax.  See http://www.adobe.com/go/strict_policy_files to fix this problem.
  *** Security Sandbox Violation ***
  Connection to http://xxxxxxxxxxxxxx/appstore-admin/messagebroker/amfpolling halted - not permitted from file:///D:/Projects/appstoreClientsNext/MultiAppstoreAdmin/bin-debug/MultiAppstoreAdmin.swf
  Error: Request for resource at http://xxxxxxxxxxxxx/appstore-admin/messagebroker/amfpolling by requestor from file:///D:/Projects/appstoreClientsNext/MultiAppstoreAdmin/bin-debug/MultiAppstoreAdmin.swf is denied due to lack of policy file permissions.
  What should I do to allow the worker to make remote calls ?

  I made some progress on this. There are two different cases :
  1) The service you want to access has a crossdomain.xml file
  All the workers can access the service without a problem.
  2) The service you want to access doesn't have a crossdomain.xml file
  Whether you launch from FB in debug mode or you put your application on the same server you are trying to access, only the primordial worker will access the service, the other workers will encounter a security error.
  I believe this is a bug. Shouldn't a worker have the same access privileges as the primordial worker ?

• How to resolve security sandbox violation (Error#2148) in Flex 3 on XP?

  Hi,
  When I tried to access an image on c:\ (on XP), I get the following error:
  *** Security Sandbox Violation ***
  Connection to file:///C:\DBFiles\3.jpg halted - not permitted from http://localhost/test-debug/test.swf
  -- Remote SWFs may not access local files.SecurityError: Error #2148: SWF file http://localhost/ullmanphp-debug/ullmanphp.swf cannot access local resource file:///C:\DBFiles\INDSprintOrgChart.pptx\3.jpg. Only local-with-filesystem and trusted local SWF files may access local resources.
  at flash.display::Loader/_load()
  at flash.display::Loader/load()
  It looks like some sort of mismatch on security settings. I have done the following so far (based on what I got by googling....)
  1. Flex comipler setting additional compiler arguments:  -use-network=false
  2. I have added a crossdomain.xml on the source directory with these lines...
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
  However, error is still appearing. How do I fix this for testing on my local machine. I cannot move to a webserver at this time.
  Thanks!.

  How do I set Security.sandboxType related to flash player? When I try to see it in my application through debugger it says "remote". I think I need to set it to one of the following from the adobe manual pages...
  Security.sandboxType has one of the following values:
  remote (Security.REMOTE)—This file is from an Internet URL and operates under domain-based sandbox rules.
  localWithFile (Security.LOCAL_WITH_FILE)—This file is a local file, has not been trusted by the user, and it is not a SWF file that was published with a networking designation. The file may read from local data sources but may not communicate with the Internet.
  localWithNetwork (Security.LOCAL_WITH_NETWORK)—This SWF file is a local file, has not been trusted by the user, and was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.
  localTrusted (Security.LOCAL_TRUSTED)—This file is a local file and has been trusted by the user, using either the Flash Player Settings Manager or a FlashPlayerTrust configuration file. The file can read from local data sources and communicate with the Internet.
  application (Security.APPLICATION)—This file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain (although files outside the AIR application sandbox may not be permitted to cross-script the AIR file). By default, files in the AIR application sandbox can load content and data from any domain.
  Any input on how to set it would be greatly appreciated. Thanks!

• Security Sandbox violation, opening links in Flash player

  Hi,
  I have a swf content and its content served from a content management server say for eg, http://www9.abc.com into the html file which is served from http://qwww9.abc.com The links embedded in the flash were not working, when these links are clicked I get this error when tried with Flash debugger player.
  *** Security Sandbox Violation ***SecurityDomain 'http://qwww9.abc.com/' tried to access incompatible context 'https://www9.abc.com/sample.swf'
  I had set a crossdomain policy file in a custom location in the content management server for this issue, but with the Flash player 9,0,115,0 this stopped working due to default policy change to "master-only". I will not be able to have this policy file in the root folder of the content management server or have the policy set in the HTTP response header.
  Is there anyother solution for this issue, for having the links work without setting the crossdomain policy file?
  Thanks in advance...

  How do I set Security.sandboxType related to flash player? When I try to see it in my application through debugger it says "remote". I think I need to set it to one of the following from the adobe manual pages...
  Security.sandboxType has one of the following values:
  remote (Security.REMOTE)—This file is from an Internet URL and operates under domain-based sandbox rules.
  localWithFile (Security.LOCAL_WITH_FILE)—This file is a local file, has not been trusted by the user, and it is not a SWF file that was published with a networking designation. The file may read from local data sources but may not communicate with the Internet.
  localWithNetwork (Security.LOCAL_WITH_NETWORK)—This SWF file is a local file, has not been trusted by the user, and was published with a networking designation. The SWF file can communicate with the Internet but cannot read from local data sources.
  localTrusted (Security.LOCAL_TRUSTED)—This file is a local file and has been trusted by the user, using either the Flash Player Settings Manager or a FlashPlayerTrust configuration file. The file can read from local data sources and communicate with the Internet.
  application (Security.APPLICATION)—This file is running in an AIR application, and it was installed with the package (AIR file) for that application. By default, files in the AIR application sandbox can cross-script any file from any domain (although files outside the AIR application sandbox may not be permitted to cross-script the AIR file). By default, files in the AIR application sandbox can load content and data from any domain.
  Any input on how to set it would be greatly appreciated. Thanks!

• Security Permissions for simple file transfer

  Hey All
  I'm transferring a file using RMI as part of an enhancement. I want to restrict where the file can be transferred to and thus will use a security manager (On the destination object). However the object its being transferred to shares the same JVM with another quite complex application that currently doesn't need a security manager.
  Will I need to set a whole host of permissions for this application even though I only want to restrict file writing?
  I suspect this is the case just want confirmation.

  Hi,
  In the code which receives the file being transferred, you might try calling System.setSecurityManager(new SecurityManager()). Use the configured Java policy to limit where the file can be written. After calling setSecurityManager(), save the file. Before returning to the rest of the application, call System.setSecurityManager(null). Ensure that your code has setSecurityManager permission or this call will fail. If this idea doesn't work, you could simply use a security manager for the whole application, and just grant AllPermission to everything except the file receiving code. Everyone says AllPermission is dangerous, but it's no more dangerous than running with no security manager at all :)

• Youtube: security sandbox violation

  Does anybody have a recipe for loading the AS3 chromeless player into a Flex application such that you don't get the 'incompatible context' errors constantly?
  *** Security Sandbox Violation ***
  SecurityDomain 'http://core-dev.thismoment.com/client/Demo.html' tried to access incompatible context 'http://www.youtube.com/apiplayer?version=3'
  I've been experimenting all day with  Security.allowDomain, Security.allowInsecureDomain, and  LoaderContext, but I haven't found the magic combination yet. The  main thing I want to do is be able to track the mouse wherever it goes on the screen.  Right now, if I mouse over the YouTube player, mouse events stop getting sent to the application, and I get that sandbox violation error in the debug log.  It works fine if I run the swf from a file: URL - it just doesn't work when it's coming over http, so obviously there is some sort of Flash security model thing kicking in.

  Doors only get opened from the inside otherwise all the bad guys would come
  in.
  Only the loaded SWF can allow access from the loading SWF.

• Fine grained security permissions

  I think fine grained security permissions are needed. If I use all permissions on a signed jar, that would grant too many permissions to the application. If I do not use all permissions, I can not use System.setSecurityManager(myOwnSecurityManager).
  When all permissions are used, after my own security manager is set, the old security policy appears to be valid still.
  Any comments? How can I easily apply my own policy to a WebStart based application?

  I did additional tests. It looks that when the security manager is activated, even the simplest JSP application is no longer working. It is simple to simulate (jdev 10.1.2 + ias 9.0.4.0.0):
  1. Create a new Web project containing a jsp page
  2. Deploy the application to the AS
  3. Test the JSP page. It works.
  4. Activate the security manager (add -Djava.security.manager into the Java options of the j2ee container)
  5. Restart the j2ee container and test. Crash
  Any idea?
  thanks

• Error #2048: Security sandbox violation: Urgent Checked the forum none of the solutions worked

  Hi all,
      I am new to flex . I am trying to connect to my localhost using the XMLSocket like below
      var xmlsock:XMLSocket = new XMLSocket(); // Line #187
      xmlsock.connect(127.0.0.1, 8080);
      xmlsock.send(xml);
    But after a Minute I get this below error
    Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: app:/main.swf cannot load data from 127.0.0.1:8080.
      at main/handleLogin()[C:\Documents and Settings\Vulcantech\My Documents\Flex Builder 3\src\main.mxml:187]
      at flash.events::EventDispatcher/dispatchEventFunction()
      at flash.events::EventDispatcher/dispatchEvent()
      at mx.rpc.http.mxml::HTTPService/http://www.adobe.com/2006/flex/mx/internal::dispatchRpcEvent()[C:\autobuild\3.2.0\framewor ks\projects\rpc\src\mx\rpc\http\mxml\HTTPService.as:290]
      at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::resultHandler()[C:\autobuild\3.2.0\frameworks\ projects\rpc\src\mx\rpc\AbstractInvoker.as:193]
      at mx.rpc::Responder/result()[C:\autobuild\3.2.0\frameworks\projects\rpc\src\mx\rpc\Responde r.as:43]
      at mx.rpc::AsyncRequest/acknowledge()[C:\autobuild\3.2.0\frameworks\projects\rpc\src\mx\rpc\ AsyncRequest.as:74]
      at DirectHTTPMessageResponder/completeHandler()[C:\autobuild\3.2.0\frameworks\projects\rpc\s rc\mx\messaging\channels\DirectHTTPChannel.as:403]
      at flash.events::EventDispatcher/dispatchEventFunction()
      at flash.events::EventDispatcher/dispatchEvent()
      at flash.net::URLLoader/onComplete()
  Thanks in advance
  Balaji

  Hi Alex,
     Thanks for the Link . I saw the link and have done the same steps as said in that . I have created a crossdomain.xml file in my 127.0.0.1 and i can also see that the policy being accepted in the  "C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs" . I have pasted the lines in policyfiles.txt below.
      OK: Root-level SWF loaded: app:/main.swf
      OK: Policy file accepted: http://127.0.0.1/crossdomain.xml
     But I still get that sandbox violation error. I have tried the below solutions and none of them worked
         1) security.allowDomain("*");
         2) crossdomain xml in the webroot of the accessing server like below
                      <?xml version="1.0"?>
                       <!DOCTYPE cross-domain-policy SYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”> 
                       <cross-domain-policy>
                          <site-control permitted-cross-domain-
  policies="all" />
                           <allow-access-from domain="*" to-ports="*" />
                     </cross-domain-policy>
         3) I saw that adding the Application path in the  "C:\Documents and Settings\username\Application Data\Flash Player\#Security\FlashPlayerTrust\flexbuilder.cfg" will remove the sandbox violation but this also didnt work        
         4)  "Project - Properties - Flex Compiler - Additional compiler arguments:" add   -use-network=true  and then recompile and post to server
         5) I have also checked the policy file logs
  Thanks in advance
  Balaji

• SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: cannot access

  When we try to print the Google Map API for Flash component, it is throwing the Security Sandbox Violation
        SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: http://ps6143:8080/aa/XYZ/Main.swf/[[DYNAMIC]]/1 cannot access  http://mt1.google.com/vt/lyrs=m@171000000&hl=en&src=api&x=1&y=1&z=1&s=Gali&flc=x3t. No policy files granted access.
  at flash.display::BitmapData/draw()
  To avoid this error we tried to use the alternate API provided by library. But that also causing cross domain issue as it loading some 3d library internally which is not able to access our application.
  SecurityError: Error #2121: Security sandbox violation: BitmapData.draw: http://maps.googleapis.com/mapfiles/lib/map_1_20_10_3d.swf cannot access http://ps6143.persistent.co.in:8080/dv/SiteOptimizer/SiteOptimizer.swf/%5b%5bDYNAMIC%5d%5d /1http://ps6143:8080/aa/XYZ/Main.swf/[[DYNAMIC]]/1. This may be worked around by calling Security.allowDomain.
  at flash.display::BitmapData/draw()
  Please help us in resolving this issue.
  Thanks & Regrds,
  Ravi Darji

  There is no redirect... Charles is a web proxy so it will look completely legitimate to the browser.
  According to the help, it's getting the access request from the SWF itself and not the crossdomain.xml file:
  In the case of a source object other than a loaded bitmap, the source object and (in the case of a Sprite or MovieClip object) all of its child objects must come from the same domain as the object calling the draw() method, or they must be in a SWF file that is accessible to the caller by having called the Security.allowDomain()method.
  http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9 b90204-7d1b.html#WS5b3ccc516d4fbf351e63e3d118a9b90204-7c4a
  So the default state accessing a SWF on a different domain is protected, unless that SWF allows some or all domains to access it via the Security.allowDomain() method.

• Local-with-networking sandbox. (Security Sandbox Violation)

  Hi
  I am developing an application for Android devices.
  where I am facing Security Sandbox Violation issue. not getting any proper solution plz help..
  I have main.swf (included in apk) on device and main.swf download abc.swf from server and save it to device(app-storage).
  after downloaded, main.swf loads abc.swf in it, abc.swf need to connect to internet to retrieves data from www.example.com
  main.swf is not allowing abc.swf to connect with internet and giving this error..
  *** Security Sandbox Violation ***
  Connection to http://www.example.com/data.xml halted - not permitted from app-storage://abc.swf
  -- Untrusted local SWFs may not contact the Internet.
  SecurityError: Error #2028: Local-with-filesystem SWF file app-storage:/abc.swf cannot access Internet URL http://www.example.com/data.xml.
  I have keep crossdomain.xml on www.example.com/crossdomain.xml
  the xml has these parameter..
  <cross-domain-policy>
  <site-control permitted-cross-domain-policies="all"/>
  <allow-access-from domain="*"/>
  </cross-domain-policy>
  plz help what i am doing wrong??

  Thank you for replying
  Yes this is necessary to download the abc.swf to local, because this app can work offline.
  I have tried to load abc.swf direct from server. It’s working properly.
  But as per requirement we need to save them on locally.
  what should I do? plz suggest any better way.
  thanks

• That old chestnut: *** Security Sandbox Violation *** clogging the debug trace

  Hi,
  I am attempting to debug a project for Flash Mobile and getting very irritated by *** Security Sandbox Violation *** warnings whenever I move, touch or interact with the application in any way whatsoever. These typically fire two or three _PAGES_ of warnings for a simple drag operation... Because there are so many of these warnings, the debug trace is effectively redundant and useless unless I actively insert a manual break point immediately after the traces I want to view - fine for a comms operation, not so useful when attempting to debug coordinates for a drag operation.
  The cause, obviously, is that I have loaded external content for display in a SWFLoader component...
  Because I am in AIR for mobile, I cannot access Security to allow the domain and crossdomain from the content provider is ignored or not loaded.
  I have found a number of references to this ranging from very recent to several years ago, such as this one which indicates a) the trace is a bug and b) something was being done about it: http://forums.adobe.com/thread/576999
  I cannot find any reference to a fix ever being implemented and the trace issue is driving me nuts.
  Please, please, please can somebody direct me to a workaround to hide this? I've tried all kinds of disabling for mouse events, keyboard events, mouse children etc.
  Thanks,
  Overwhelmed-in-the-traces of Dublin

  Is it bad form to bump?
  G

• Security sandbox violation: BitmapData.draw on CloudFront/S3.

  I'm using Cloudfront/AS3 to stream some video in RTMP.
  When I try to do a Bitmap.draw, I get this error:
  [Fault] exception, information=SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: [my_url] cannot access unknown URL. No policy files granted access.
  Since there is no Application.xml, I can't change the <VideoSampleAccess />.
  My crossdomain.xml is available.
  <cross-domain-policy>
  <site-control permitted-cross-domain-policies="master-only"/> 
  <allow-access-from domain="*"/>
  <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
           </cross-domain-policy>
  My bucket policy is:
    "Version": "2008-10-17",
    "Statement": [
        "Sid": "AddPerm",
        "Effect": "Allow",
        "Principal": {
          "AWS": "*"
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::[my url]/*",
        "Condition": {}
  And this is my CORS configuration:
  <CORSConfiguration>
      <CORSRule>
          <AllowedOrigin>*</AllowedOrigin>
          <AllowedMethod>GET</AllowedMethod>
          <MaxAgeSeconds>3000</MaxAgeSeconds>
          <AllowedHeader>Authorization</AllowedHeader>
      </CORSRule>
  </CORSConfiguration>
  Not sure what I must change to give myself access.
  Thanks
  Martin

  If you don't have access to the server - you will not be able to accomplish BitmapData.draw() on the video or any of its parents. The policy error refers to streaming server side policy. If you look into RTMP traffic - you will see at what point security request goes.
  I don't know what range of services Amazon cloud offers but I could imagine that, since they do offer pretty granular access to application instances, at some level it is possible to gain access to the server or engage their support to help you. I may be wrong though.

• Day 1 Ex. 3 Help! Error: Security Sandbox Violation

  When I run the solution code in Flex Builder, I get a ***
  Security Sandbox Violation *** message when debugging. Although,
  when I changed my default browser to Safari, everything seemed to
  work fine. Also, when I go directly to the bin-debug folder and
  opened the "AdobeODT.html" file, the data from the xml file loads
  properly. I played around with the "crossdomain.xml" solutions I've
  been finding on the net, but couldn't get it to work. Anyone else
  running into this problem? Any help would be greatly appreciated.
  Thanks.
  Running:
  Mac OS X 10.5.6
  Flex Builder 3
  FireFox (current)
  Safari (current)
  Opera (current)

  Hi everybody who is experiencing this same problem. A little
  research online directed me to the following page
  http://www.jetbrains.net/jira/browse/IDEA-21996.
  Which contains a good explanation why this is happening:
  quote:
  A SWF file can access one type of external resource only,
  either local or over a network; it cannot access both types. You
  determine the type of access allowed by the SWF file by using the
  use-network flag when you compile your application. When
  use-network flag is set to false, you can access resources in the
  local filesystem, but not over the network. The default value is
  true, which allows you to access resources over the network, but
  not in the local filesystem.
  So a sollution for this problem is:
  quote:
  you may specify the following string in "Additional compiler
  options" at "Flex Compiler Settings" tab: -use-network=false
  Hope this helps all of you experiencing this problem.

• SAP CPS Security Permissions

  Dear All,
  I checked our Netweaver log and find following messages:
  User XXXX does not have AccessSchedulerBusiness permission: java.security.AccessControlException: No authorization
  Category: /Applications/Scheduler
  Place: com.redwood.scheduler.security.impl.sap.ume.UMEUser
  Application: redwood.com/scheduler-ear
  Username | ACCESS.ERROR | null | | Permission=[(com.redwood.scheduler.security.permissions.SchedulerAccessPermission business)]
  Category: /System/Security/Audit
  Place: com.sap.security.core.util.SecurityAudit 
  Application: redwood.com/scheduler-ear
  (Username =my Username)
  These are my userroles in SAP Netweaver UME:
    scheduler-user Einfacher Zugriff, sieht keine Objekte, Ist Basis für andere Rollen. UME-Datenbank
    scheduler-isolation-administrator Create/Edit/Delete Isolation Groups and add users to these UME-Datenbank
    scheduler-administrator Kann alle Aktionen im SAP CPS ausführen UME-Datenbank
  and here my userroles in SAP CPS
  Redwood System     Administrator     
  Redwood System     BAG:9:F:Scheduler_Manager
  Redwood System     scheduler administrator     
  Redwood System     scheduler user     
  Redwood System     BAG:1:F:Scheduler_Manager_Isolation     
  Redwood System     scheduler isolation administrator     
  Redwood System     scheduler_administrator
  Redwood System     scheduler it user     
  We use SAP CPS Build: M33.42-54458
  Anyone an idea?
  Kind regards
  Marc

  "User XXXX does not have AccessSchedulerBusiness permission: java.security.AccessControlException: No authorization"
  "Username | ACCESS.ERROR | null | | Permission=[(com.redwood.scheduler.security.permissions.SchedulerAccessPermission business)]"
  Errors such as the above normal and should not be any reason for concern. CPS has support for many more SAP standard roles now and in this situation CPS asks the UME if the user has these roles, the NW Java UME then logs a message if the user does not have the requested roles. This error is specifically logged when the user has no business user permissions.
  You can ignore these default trace entries. These standard roles are part of CPS, but they do NOT show in the CPS UI until you have assigned them in the UME to a user and that user has logged into CPS.
  Rgds,
  David

• Air app, Rest service, Security sandbox violation

  Hi All,
    I wrote an app a couple of years ago using flex 3 that connects to a number of remote web services and does various things.
  This worked fine.
  Now I have been asked by the customer to update the app as it stopped working at some point.
  I am trying to use the resthttpservice library to do a PUT operation, but I am getting the following error when I try and create a socket to the remote server:
  Error #2048: Security sandbox violation: app:/main.swf cannot load data from http://my.host:8182
  Now, it's been a while since I've done anything with flex so I am rusty. But this error is usually fixed by having a crossdomains.xml file on the remote server. But it was my understanding that this was only required when one's app was running from within the browser and that desktop applications are not effected.
  Can anyone clarify this for me? It seems that there were changes made to the flash player in version 10 that might have changed this.
  I am very puzzled at this point!
  thanks for any help!

  These articles discuss security changes between FP 9 and 10:
  http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html
  http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html
  What is impacted?
  This change can potentially affect any SWF file accessing cross-domain content. This change affects SWF files of all versions played in Flash Player 10 and later. This change affects all non-app content in Adobe AIR (however, AIR app content itself is unaffected).
  What do I need to do?
  Read the article: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html