Security sandbox and accessing multiple servers
I own the domain kitfox.com, and need to have my WebStart application access servlets on my host server. However, I would like to distribute my servlets across many servers so that the load is balanced. I would also like to do this while keeping everything in the security sandbox (ie, I don't want my users altering their permissions).
If I define several subdomains so that apple.kitfox.com, banana.kitfox.com and cherry.kitfox.com point to three different machines, does this violate the security model?
Mark McKay
http://www.kitfox.com
The sandbox restricts outgoing network connections to just the server the application (or applet) was loaded from. So for your app to be able to access apple.kitfox.com it would need to be loaded from apple.kitfox.com. However, the "same" app when loaded from banana.kitfox.com will register as a different app with WebStart.
Similar Messages
-
BitmapData.draw Security Sandbox and LocalTrusted not working?
Hello there, wondering if anyone else is having the same
problem -- I have a LocalTrusted security sandboxType -- and when i
try to access a BitmapData.draw method on a progressive flv, i get
the error message:
SecurityError: Error #2135: Security sandbox violation:
BitmapData.draw: file://file.swf may not access null. RTMP content
cannot be accessed using this API.
I've rechecked my sandbox type a zillion times, as well as
tried putting allow="*" in the crossdomain policy file ....
is this an error in my security settings -- or is
bitmapdata.draw on video objects now "gone"?Could you try this - Open and swf, rightClick - Goto
settings, then click Advanced. On the webPage click on "Global
Security settings panel".
If you don't find your local directory in there, add it and
see if things work?
If not, it would be good if you could post the chunk of code
which is creating problems. -
IPrint secure, DLU and access control
Hi all.
Environment: iPrint 4.20, Novell client 4.91SP1 with pathces, Zen 65SP2
Netware 6.5 SP5 two node cluster.
I just switched to using "high" security for iPrint printers and
immediately stumbled into strange problem.
When I log in as a student (zen 6.5SP2 volatile DLU user) first login
goes fine and novell client passes credentials to iPrint client just
fine. BUT each successive logins with that same account causes printer
login to fail with message "Printer login failed. Do you want to retry".
login also takes very long time to complete. Novell client login goes
thru without problems.
IOW if I do logout-login with same student account printer login fails.
If I login as staff member (no zen DLU) all logins go thru just fine.
I can't see what is wrong in student credentials. If I look at iPrint
settings "passwords"-tab those settings are right.
How to debug what is going on in those failing logins?
Timo PietilJouko Oksanen wrote:
> Timo Pietil wrote:
>> Hi all.
>>
>> Environment: iPrint 4.20, Novell client 4.91SP1 with pathces, Zen
>> 65SP2 Netware 6.5 SP5 two node cluster.
>>
>> I just switched to using "high" security for iPrint printers and
>> immediately stumbled into strange problem.
>>
>> When I log in as a student (zen 6.5SP2 volatile DLU user) first login
>> goes fine and novell client passes credentials to iPrint client just
>> fine. BUT each successive logins with that same account causes printer
>> login to fail with message "Printer login failed. Do you want to
>> retry". login also takes very long time to complete. Novell client
>> login goes thru without problems.
>>
>> IOW if I do logout-login with same student account printer login fails.
>>
>> If I login as staff member (no zen DLU) all logins go thru just fine.
>>
>> I can't see what is wrong in student credentials. If I look at iPrint
>> settings "passwords"-tab those settings are right.
>>
>> How to debug what is going on in those failing logins?
>
> Moi Timo,
>
> Do you mean that the first time when you login as "totally" new (first
> time ever in the pc) DLU user to this workstation everything is ok but
> after second login things start to go wrong?
Yes and no. If I reboot, then login works again just as it should.
> If yes, is there something
> still left behind from volatile user??
hmm... I need to look at that. There shouldn't be of course.
Timo Pietil -
Flash CS5.5: Loading XML-file causes a "Security Sandbox Violation"
Hi,
after upgrading from CS3 to CS5.5, i get a "Security Sandbox Violation" when loading a XML-file. With CS3 everything was fine, but now my file is not working any more. The XML-file and my SWF-file are stored in the same directory and it nether work local nor on the webserver.
I don't know the correct message in english, but flash tells me something like:
"Security Sandbox Violation"
access to file:[]data.xml disconnent - not allowed from file:[]myfile.swf
Why am I not allowed to load an XML-file from the same directory/domain any more? And how can I get my data into my flash-File now?
It doesn't seems to be a Flash-Player-Problem, because an older version with the same code still works. So the problem has to be located in Flash CS5.5
Can anybody help me? Thanks a lot!
SonjaPlease ask such questions on the product specific forums. It is highly doubtful that anyone wil lsee it here.
Mylenium -
Login questions - multiple servers - vpn
My goal is to permit users to login from their home PCs over a Cisco
VPN (IPSec client) without using the Novell client. Servers are
running NetWare 6.5 sp7 with CIFS. Test client is XP. I can login
and access the servers, but I am trying to simplify things.
After the client connects over the VPN, I issued the following
commands:
net use L: \\192.168.1.1\data4
net use N: \\192.168.1.3\apps
I get prompted to login to each server. Is there a way to access
multiple servers with a single login instead?
Is it possible to use the Cisco VPN username and password to
seamlessly login and not get prompted for another username and
password to access my servers?
Thanks for the help.
Regards,
Ken Etter
Novell....it does a server good!On Wed, 24 Feb 2010 18:09:38 GMT, KeN Etter
<kle@_remove_this_msktd.com> wrote:
>After the client connects over the VPN, I issued the following
>commands:
>
>net use L: \\192.168.1.1\data4
>net use N: \\192.168.1.3\apps
>
>I get prompted to login to each server. Is there a way to access
>multiple servers with a single login instead?
>
>Is it possible to use the Cisco VPN username and password to
>seamlessly login and not get prompted for another username and
>password to access my servers?
A little searching solve this. I found this page:
http://www.digitalissues.co.uk/html/...re-smb.html#18
Short answer: If my Windows username and password matches my
eDirectory username and simple password, then I can immediately access
all servers without an additional login and without a login per
server. If they do not match, then I will get a per server prompt to
login.
If anyone knows how to make that per server prompt into a single
login, I would greatly appreciate it.
Regards,
Ken
Novell....it does a server good! -
How to store and access passwords on Keychain?
I would like to know how to securely store and access passwords on Keychain?
This article should answer your questions regarding setting up and using iCloud Keychain: http://9to5mac.com/2013/10/26/how-to-setup-and-use-icloud-keychain-for-mavericks -and-ios-7/
-
How to mirror between the production server and the multiple local servers.
I am currently looking for the best way to correspond between our production server and the multiple local servers. Because the production server is the only server that holds the latest updating applications, and our local servers are located for each developer’s local machines where the all modifications and creations are done. So when the developer locally makes changes for assets or files, he creates a patch archive first, then accesses to the production side Administration console screen and imports them from Application Management screen.
We tried to find a way to see the imported date before (so we know which one has been imported as new.), but there is no show in the Administration console Application Management screen. There is Creation date but it’s set as we initially imported the full archive files, but not patch files. Since between applications have some types of the dependencies (like fragments or image files), what is the best way to keep mirroring between the production server and local servers? Or we should simply not use patch file for updating server?
Thanks,Check out this utility : http://blogs.adobe.com/livecycle/2013/03/adobe-livecycle-configuration-migration-utility.h tml
Thanks,
Wasil -
AIR, Fonts, CS4 and the security sandbox
I have no idea why embedding fonts in CS4 using library->new font includes every european character EXCEPT polish. You have german, french, spanish, norwegian, but not polish. Well, since embedding a font from Flash is the only way to use bitmap fonts in Flex, I had to create a library of external font files, one SWF per font size and style. Such an SWF exposes several functions, such as returning a ready to use pre-formatted textfield, returning the font name (Such as Tahoma) and the font name you actually need to use (such as Tahoma_13pt_st).
I thought I'd need an AIR application to parse through all the fonts (and there are quite a few) extract the neccesary data, such as font size, name and so on and generate an XML file, so that I can load fonts at dynamic.
The first problem I encountered was the security sandbox. A possible solution was to use the loaderInfo.childSandboxBridge. That approach didn't work however, as I was generating plain SWF files from flash CS4. childSandboxBridge is an AIR property, so I had to create an AIR file and try to set the bridge property to a simple number. So I did, but it gave me a
SecurityError: Error #3206: Caller app:/TahomaBold13.swf cannot set LoaderInfo property childSandboxBridge.
Weird. Well, I reverted the file to plain CS4 FPL10 SWF and decided to try another approach. I first loaded the SWF as a FileStream, then put the bytes into Loader.loadBytes. That should take care of security. And it did, however it created another problem.
The font library relies on being able to enumerate the embeded fonts. The SWF's constructor has a function that enumerates all fonts and isolates the font embeded in the SWF, and then extracts it's properties. When launching the SWF by itself, or loading it from another CS4 FPL10 SWF it launches perfectly and enumerates the fonts as it should. However when the SWF is executed from inside AIR, the constructor located in the font file, as well as a function called from the main application upon executing enumerateFonts(false) both give an empty array. Which is quite weird really, as the loaded SWF contains an input TextField with embedded fonts. And I can edit and type stuff in that textfield, even while it's rotated.
I thought this might be an issue of a different flash player version, but I tried to target AIR 1.5 and flash 9, neither worked and both returned no embeded fonts.
Here's the entire source of the mxml air app
<?xml version="1.0" encoding="utf-8"?>
<mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
<mx:Panel x="0" y="0" width="100%" height="100%" layout="absolute" title="M2C Studio Font Parser Utility">
<mx:VBox x="0" y="0" width="100%" height="100%" paddingRight="10" paddingLeft="10" paddingTop="10" paddingBottom="0">
<mx:HBox x="10" y="10" width="100%" height="95%">
<mx:VBox width="50%" height="100%">
<mx:Label text="Select font directory from filelist below"/>
<mx:FileSystemTree width="100%" height="50%" id="fileTree"/>
<mx:HRule width="100%"/>
<mx:Label text="Fonts list"/>
<mx:Text width="100%" height="50%" id="fontlist"/>
</mx:VBox>
<mx:VRule height="100%"/>
<mx:VBox width="50%" height="100%">
<mx:Label text="XML Output"/>
<mx:TextArea width="100%" height="50%" backgroundColor="#ECE9E9"/>
<mx:Canvas width="100%" height="50%" id="canv">
</mx:Canvas>
</mx:VBox>
</mx:HBox>
<mx:Button label="Generate XML from directory" width="100%" click="handlePress();"/>
</mx:VBox>
</mx:Panel>
<mx:Script>
<![CDATA[
import flash.utils.setInterval;
import com.m2cstudio.archont.utility.fonts.FontLibraryItem;
import com.m2cstudio.archont.utility.fonts.IFontLibraryItem;
import mx.accessibility.AlertAccImpl;
import mx.controls.*;
import mx.events.*;
import mx.controls.Alert;
var rx:RegExp = /^.*\.swf$/;
function handlePress():void
// This also throws an error
//Security.allowDomain("*");
var file:File = fileTree.selectedItem as File;
var aLoad:Array = new Array();
if(!file)
Alert.show("You must select a folder", "Error");
return;
} else if(!file.isDirectory) {
Alert.show("You must select a folder, not a file", "Error");
return;
var aList:Array = file.getDirectoryListing();
for each (var fil:File in aList)
if(!fil.isDirectory)
if(fil.nativePath.match(rx))
// Is swf
var fs:FileStream = new FileStream();
fs.addEventListener(Event.COMPLETE, handleFileStreamLoaded);
fs.openAsync(fil, FileMode.READ);
function handleFileStreamLoaded(e:Event):void
var fs:FileStream = e.target as FileStream;
var ld:Loader = new Loader();
var lc:LoaderContext = new LoaderContext();
var ba:ByteArray = new ByteArray();
lc.allowLoadBytesCodeExecution = true;
fs.readBytes(ba);
fs.close();
ld.contentLoaderInfo.addEventListener(Event.COMPLETE, handleLoaded);
ld.loadBytes(ba, lc);
function handleLoaded(e:Event):void
var cnt:FontLibraryItem = e.target.content as FontLibraryItem;
cnt.rotation=10; // Rotation, just to be sure it's not using system fonts
canv.rawChildren.addChild(cnt);
// This doesn't output anything - neither the main app nor the loaded SWF 'see' any embedded fonts, even though the later uses them!
for each (var f:Font in Font.enumerateFonts(false))
Alert.show(f.fontName, f.fontType);
// This should retrieve the appropriate values but throws an error because the SWF can't grab the Font definition
//Alert.show(cnt.getFontName(), cnt.getFontStyle());
]]>
</mx:Script>
</mx:WindowedApplication>
Here's a screen of what it actually looks like when compiled:
Here's the source of the font library item. Note that the SWF contains only 2 items. A TextField named font with embeded characters and a boolean bt on the first frame.
package com.m2cstudio.archont.utility.fonts
import flash.display.MovieClip;
import flash.text.*;
public dynamic class FontLibraryItem extends MovieClip implements IFontLibraryItem
private var txtFont:TextField;
private var fFont:Font;
public function FontLibraryItem()
super();
// Causes an error - see below why
//init();
public function getFontName():String
return fFont.fontName;
public function getFontType():String
return fFont.fontType;
public function getFontStyle():String
return fFont.fontStyle;
public function getBitmapText():Boolean
return this.bt;
public function getBitmapTextSize():uint
if(this.bt) {
return Number(txtFont.defaultTextFormat.size);
} else {
return 0;
public function hasGlyphs(glyphs:String):Boolean
return fFont.hasGlyphs(glyphs);
public function createTextField():TextField
var tf:TextField = new TextField();
tf.embedFonts = true;
tf.defaultTextFormat = (this.font as TextField).defaultTextFormat;
return tf;
public function init():void
if(this.font) {
txtFont = this.font;
} else {
throw new Error("Document must contain a textfield named 'font' with the embedded font");
var fArr:Array = Font.enumerateFonts(false);
if(fArr.length==0) {
throw new Error("Document does not contain any embeded fonts.");
} else if (fArr.length>1) {
throw new Error("Document must contain not more than one embedded font");
fFont = fArr[0];
I'm hoping some AIR specialists will take a look at this. Frankly I'm stumped. Font support in Flash was always black magic, more or less, so I can only hope this is an issue that can be solved.
Just tell me and I'll provide more source or sceenshots.
Cheers,
-archontI even tried porting the code to Gumbo and running it there - still, no fonts are being enumerated.
If you're too lazy to read the whole above post, here's the problem in one sentence
An SWF that contains a textfield with embedded fonts, when launched by itself succeeds to return the embedded font using Font.enumerateFonts(false), however when loaded using Loader.loadBytes into AIR, it fails to see those fonts even though the textfield in it is displayed and editable.
How do I make the loaded child application and AIR see the embedded font? -
Secure Copy and Paste in Sandboxed mode
Hi,
while working on copy-and-paste of mathematical formulae for our ActivMath learning environment, a web-based one, I, of course, chopped to the problem that sandboxes (be them in Java applets, JNLP, JavaScript, Flash, ...) refuse the access to the clipboard.
That's partially survivable thanks to drag-and-drop...
I realized, however, that the class TransferHandler could be easily adapted to allow a secure copy and paste that would not touch, itself, the system-clipboard hence, should be allowed to sandboxes:
- a copy action can be requested using standard gestures. In a browser, this includes the browser's copy menu-item and related shortcut. In many native components, the shortcut is actually working. Such an action would then trigger trusted code and invoke the handler's createTransferable method and put it into the clipboard.
- similarly a paste action can be requested using standard gestures and invoke the importData method.
Can anyone tell me how insecure that would be ?
thanks
paul
http://www.activemath.org/~paul/So... anybody?
-
Security Sandbox violation bitmapData.draw() cant access null
very strange. I am testing with two different HD streams. One an akamai stream and another one of our clients not on akamai and using an F4M manifest file. I have tried allowing the domain and they have a crossdomain.xml file on their side but i still get this error.
SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: http://web.mobilerider.com/flash/osmflive/OSMF_Live.swf?mediaID=190&vendorID=513&extras=vs :1,skin:osmf_live,muteOn:0,autoplay:1,live:1,showArchive:1,&serviceID=2&jsID=1316213568052 cannot access null. No policy files granted access.
any help would be very appreciated, thanksHello!
This seems to be relevant:
http://forums.adobe.com/message/3759490#3759490 -
Does anyone have a recommended network, hardware and software configuration guide for a Portal installation running with multiple gateways load balanced (ie one URL) that talk to multiple servers?
David,
We've used Resonate (software) to load balance the gateways. It allows
you to group all the gateways under 1 virtual URL and load balance the
incoming connections over each gateway depending on the rules that you
define in Resonate. Look in the SUN portal whitepapers there is one that
talks about it specifically.
As far as load balancing the calls to the portals, the gateways will
automatically load balance across all the portals that they know about
using a simple round-robin rotation. You may be able to use Resonate in
front of the portals but you may need to activate persistance within
Resonate to ensure that the user always ends up on the portal that he
established his initial connection on (if you want that), check with Sun
on this one.
David Broeren wrote:
Recommended configuration for load balanced Portal with load balancer,
multiple gateways and multiple servers.
Does anyone have a recommended network, hardware and software
configuration guide for a Portal installation running with multiple
gateways load balanced (ie one URL) that talk to multiple servers?
Try our New Web Based Forum at http://softwareforum.sun.com
Includes Access to our Product Knowledge Base! -
SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: cannot access
When we try to print the Google Map API for Flash component, it is throwing the Security Sandbox Violation
SecurityError: Error #2123: Security sandbox violation: BitmapData.draw: http://ps6143:8080/aa/XYZ/Main.swf/[[DYNAMIC]]/1 cannot access http://mt1.google.com/vt/lyrs=m@171000000&hl=en&src=api&x=1&y=1&z=1&s=Gali&flc=x3t. No policy files granted access.
at flash.display::BitmapData/draw()
To avoid this error we tried to use the alternate API provided by library. But that also causing cross domain issue as it loading some 3d library internally which is not able to access our application.
SecurityError: Error #2121: Security sandbox violation: BitmapData.draw: http://maps.googleapis.com/mapfiles/lib/map_1_20_10_3d.swf cannot access http://ps6143.persistent.co.in:8080/dv/SiteOptimizer/SiteOptimizer.swf/%5b%5bDYNAMIC%5d%5d /1http://ps6143:8080/aa/XYZ/Main.swf/[[DYNAMIC]]/1. This may be worked around by calling Security.allowDomain.
at flash.display::BitmapData/draw()
Please help us in resolving this issue.
Thanks & Regrds,
Ravi DarjiThere is no redirect... Charles is a web proxy so it will look completely legitimate to the browser.
According to the help, it's getting the access request from the SWF itself and not the crossdomain.xml file:
In the case of a source object other than a loaded bitmap, the source object and (in the case of a Sprite or MovieClip object) all of its child objects must come from the same domain as the object calling the draw() method, or they must be in a SWF file that is accessible to the caller by having called the Security.allowDomain()method.
http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9 b90204-7d1b.html#WS5b3ccc516d4fbf351e63e3d118a9b90204-7c4a
So the default state accessing a SWF on a different domain is protected, unless that SWF allows some or all domains to access it via the Security.allowDomain() method. -
iTunes is telling me that I have not purchased from my iPhone before although I have multiple times, and I don't remember my security questions and there is no option to change them. Any suggestions other than making a new account?
If you create a new Apple ID you won't have access to the media purchased with the Apple ID you are currently using.
Try here > Rescue email address and how to reset Apple ID security questions -
How can multiple users edit and access same ACCESS file
Hello,
We have 2 access files and multiple users needs to edit and access those files.
How can I enable mulitple access but only one user can edit rest of users are in read-only mode for one file and multiple access and edit on the another file.Hi,
You should split your database in a front and backend. Then create two seperate front ends which you can distribute. If you need readonly you can opt for two options, setting the attributes of the file to read only or create a front end with read only forms.
The last one takes a little more work but is safer than setting the attributes to read only because people can change that back themselfs.
Maurice -
I no longer have access to the back up email address I used when I set up my apple ID. I have since forgotten the answers to my security questions and am having a problem making changes to my account. What can I do?
You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
(114957)
Maybe you are looking for
-
How can I sync only checked items and not the whole album?
I only want say three songs out of an album but it syncs the whole thing. How do I change that?
-
I have installed Lion and have problems to print PDF from prewiev.
I have installed Lion and have problems to print PDF from prewiev. When trying to print Prewiev locks. Anyone out there with the same problem?
-
Sync fails on trabsfer to another computer and 2 android devices.
second computer does not accept my recovery key I can log on to the first computer. Same problem with the 2 Android devices. Second computer on windows 8 Cellphone is Android charge Tablet is Galaxy 7
-
Connecting my iPod to a Honda... quick ?
I am getting a 2006 Civic and it has an MP3 aux jack in the dash board (not the Honda link in the glove box). What do I need to connect my iPod to the aux jack? Thanks iPod mini
-
TTClasses interface for PL/SQL procedure and fetching its results
Hi experts, I am using TimesTen Release 11.2.1.3.0; I created a simple PL/SQL procedure as follows in timesten- Command> create or replace procedure employee(eno in emp.empno%type) is > e_name emp.ename%type; > begin > select ename into e_name from e