SWF Jitters on drupal site - crossdomain.xml
I've been working on a mapping application for a client. The swf I've created references a xml that provides names for mc's and listeners. The xml also has info that populates text boxes when clicked on.
I'd been hosting the working version of this swf on our website (drupal based) where I worked on changes and tested it. It worked fine in this location and still is functioning well
http://wildlands.org/node/683
When I sent a copy for my clients to post on their website, we ran into a few problems. First, there was a crossdomain issue and we had to create a crossdomain.xml and place it in their site's root. Once we did this, the app worked but became jittery (a problem i cannot replicate on my site). The client is using the same version of drupal and the same flashnode module.
http://www.gallatinwrp.org/content/testflash
Does anyone know where I could start to begin troubleshooting this? It's strange that this does not occur on my site. I also never had to create a crossdomain.xml and place it in our site's root.
thanks in advance,
j
the easiest way to avoid cross-domain issues, is to use a local executable (like a php file) and have that executable load your cross-domain assets and pass them to your local swf.
otherwise, you must correct your crossdomain.xml file. to start, you need a cross-domain meta policy file that is in the host server's root directory. if you don't have access to the root directory, you don't control that server and you are not allowed to place policy files on it. (see above solution.)
Similar Messages
-
Web services and crossdomain.xml HELP
Hello
I am using the web services connector to consume a service it
all works
fine in flash however in the browser it fails
I can see it trying to load crossdomain.xml at the domain of
the WS
provider this is despite my putting:
System.security.loadPolicyFile("
http://dev.chatham.site/crossdomain.xml");
frankly I am at a loss as to how to make this work I have
tried.
var allowpath = "
http://www.postcoderwebsoap.co.uk";
System.security.allowDomain(allowpath);
how the hell do you let the connector connect?
any insight would be greatly apreciated
Richtjacobs01 wrote:
Hi all,
This is a follow-up to the question I posted and answered myself yesterday.
I have created a web service that returns Hebrew words in a string format of an XML document. This all appears to be working fine at this point. The only problem is that when I'm debugging in NetBeans, certain hebrew characters/words (note: some characters / words work!) xerces gives me an invalid utf-8 string (byte 1 of 2) exception in the display of the SOAP response - not the response itself, but I think in whatever netbeans is doing to display it. Not sure i follow. Are you referring to the debugger screens where the IDE shows variables/stacks etc? If so, i would say not to worry too much. IDE's are not perfect.
I have tried testing the strings I am returning by themselves - xerces can parse when I save them into a file and load. So it seems like the problem is just with the >SOAP response / with netBeans.
I understand that returning XML within a SOAP container could then be screwing up the parsing. Any thoughts as to why certain words and not others? Is there any way to fix this, and perhaps more importantly - is it important to fix this?Did you test this in a production like environment? If so, i would say its just a minor annoyance. -
Crossdomain.xml file not being called by the SWF
Hi,
I'm serving an swf file compiled using flex builder 3.2 through plain HTTP, the SWF file calls a service in the same domain through HTTPS, as such, I put the following file in the root directory of my web server:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>
and name it crossdomain.xml
When the service is invoked, I get the following error: [RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]
When I check the access log files of my web server (Apache), there's no entry for crossdomain.xml (it is not being requested), why?
When I serve the SWF through HTTPs it works OK ... any ideas?
I have tried in several machines (different browsers, different versions of Flash player) and no success.I am also experiencing the exact same problem. I'm not able to change the crossdomain.xml file located in the root directory and am going to try creating a new policy file in a sub directory. The problem I'm having is that my web service is called from a virtual path and I do not know where to save this new policy file.
Have you tried to load in a specific policy file?
Security.loadPolicyFile( "http://yourdomain.com/policyFile.xml" );
Also, you may want to check which sandbox your swf file is in. flash.system.Security.sandboxType. This could be another cause to the error. My swf file is in the "remote" sandbox. -
Crossdomain.xml and Reporting Services
Hi,
I'm trying to get my Flex application to call a webservice on a remote Reporting Services instance, but am running up against insummountable problems with the Flash Player's cross-site scripting security.
Due to the way that Reporting Services works, there is no root folder (i.e. http://theserver/ doesn't actually exist anywhere in the filesystem) - so we cannot have a master policy file at that location.
However, we have been able - through extensive fiddling of the SSRS web.config - to get an XML and/or ASPX file into the http://myserver/ReportServer/ subfolder and have the "X-Permitted-Cross-Domain-Policies: all" HTTP header returned along with the content.
We are then calling Security.loadPolicyFile("http://theserver/ReportServer/crossdomain.xml") before we try and start calling the WebService.
We are then able to load the WebService description (GET /ReportServer/ReportService2005.asmx?wsdl). However, when we then try to make the actual call to the webservice - which is a HTTP POST of XML data to the same URL - /ReportServer/ReportService2005.asmx - we get the following errors in the Flex debugger (and the Flash Player log file):
Warning: Failed to load policy file from http://theserver/crossdomain.xml
Error: Request for resource at http://theserver/ReportServer/ReportService2005.asmx by requestor from http://localhost/modules/ReportsModule.swf is denied due to lack of policy file permissions.
*** Security Sandbox Violation ***
Are GET and POST requests handled differently, or is there something more sinister going on here? Can anyone think of a way to proceed in this investigation, apart from just giving up on Flash's ability to do anything cross-site, and writing our own Server-Side proxy for everything!
regards
RichardSounds like the update for Flash 8 may help.
-
Crossdomain.xml for cooliris and iweb
Hi,
I have been trying to embed a Cooliris wall in a HTML snippet in one of my iWeb pages. So far I have been successful to do that with Cooliris generic feed and flickr API feed. However, when I try to use a feed for my photos on my mobile web site, it tells me that I need the crossdomain.xml file in the root of my webserver. I have created this file in my iDisk->Web->Sites folder but it still fails to display the wall. My feed is good as I have validated it with feedvalidator.org so I wonder if this crossdomain.xml file should go anywhere else.
Has anyone has successfully embedded a Cooliris wall using a iWeb feed? I'd be curious how they did that. Or if anyone else has an idea of what I should do to resolve this issue.
Thanks,
J. TerrazasI was able to embed the demo Cooliris Wall in a test page by adding the code provided at the site:
<object id="o" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="570" height="338"><param name="movie" value="http://apps.cooliris.com/embed/cooliris.swf?feed=api%3A%2F%2Fwww.flickr. com%2F" /><param name="allowFullScreen" value="true" /><param name="allowScriptAccess" value="always" /><embed type="application/x-shockwave-flash" src="http://apps.cooliris.com/embed/cooliris.swf?feed=api%3A%2F%2Fwww.flickr.co m%2F" width="570" height="338" allowFullScreen="true" allowScriptAccess="always" /></object>
I don't know is your code is similar buy you can view the results here.
OT -
Security error accessing url with crossdomain.xml in InDesign FlexUI
I'm evaluating Flex as a UI component in an InDesign script. Part of what it needs to do involves retrieving some data from a web server to be displayed in a datagrid. I've written a server running on localhost that will provide this data. Everything works fine when I run the component from Flash Builder or from the HTML wrapper page that is generated during the release build, but once I copy the .swf to the InDesign scripts folder and load it as part of a ScriptUI component, I get a fault response ("security error accessing url") when connecting to the server. I'm running this bit of code in from my Flex client:
var h:HTTPService = new HTTPService();
h.url = "http://localhost:8080/elements";
h.method = "GET";
h.addEventListener("result", getElementsResult);
h.addEventListener("fault", getElementsFault);
h.send();
From what I've read, I may need a crossdomain.xml file at the root of my host, so I've added that to the server and can see that it is being accessed whenever the flex component attempts to connect to the service.
My crossdomain.xml file is:
<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
which seems to be correct, from what I understand. I've also tried quite a few other variations (setting explicit site-control policies, etc.). I'm quite new to Flex/Flash and I'm basically stuck at this point. Where might I be going wrong?I think sleeping on this one helped... I found that if I serve the .swf from my web server then everything works out fine. Loading it from the local filesystem seems to have been the problem.
-
Httpservice to localhost doesn't work in Flex4... Even with crossdomain.xml
So, this was working before I recompiled with Flex4, (In Flex 3.5) and now I can't get the following to work....
Story:
I'm using httpservice in flex like:
<mx:HTTPService id="getConfig" url="http://localhost/parser.php" method="POST" showBusyCursor="true" resultFormat="e4x" result="xmlresultHandler(event)" fault="faultHandler(event)" />
Everything is in my root directory on my web server. When run in debug or directly from flashbuilder, the call works fine. If I run a release build, and FTP the release to /var/www (my root), and try to browse to the server, the website pulls up, and the swf file runs, but I always get a
Fault:Channel.Security.Error
FaultString:'Security error accessing url'
faultDetail:'Destination:DefaultHTTP'
when it trys to read the httpservice.
I do have a crossdomain.xml file in my /var/www (webroot) folder with what I see as super permissive settings.... Below:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
<site-control permitted-cross-domain-policies="all" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
Any help would be GREATLY appreciated.Thanks for the info Flex harUI,
So I tried bringing up the 3 files (crossdomain.xml, main.swf, and parser.php) from a browser and they call exist and are reachable.
So I get the localhost vs. absolute address this. That makes sense. So I recoded the httpservice call to url="http://10.101.50.60/parser.php". Which is the actual fully qualified address in this case (There is no DNS server), and what I'm pulling up in the browser is "http://10.101.50.60/index.html". So after making this change, I can still access and have everything working in Flash builder, but again, when I standalone compile and upload the main.swf to the var/www directory and pull it up in the browser via http://10.101.50.60/main.swf. I get "Security error accessing URL". So basiclly, same thing.
Spent two days on it now..... -
How can I serve crossdomain.xml file on a specific port?
Let me introduce my problem step by step:
I was using a socket connection on the address www.mydomain.com:1925 to provide a chat service for my users. When I moved to cloudflare, I could not connect to port 1925 directly because of the fact that my requests were reaching my origin server over cloudflare and the port was changing.
How did I solve it? I created a subdomain chat.mydomain.com whose DNS settings point to my origin server not cloudflare. I bypassed cloudflare by this way and I connected my chat service by using chat.mydomain.com:1925 on the browser. So far so good.
Here is the problem. I am also using Flash and AS3. It is the core of my game on the site. Chat is working on html and my game in flash is in some part of my website. In flash, I was sending scores of players using again a socket connection on www.mydomain.com:1925 by a different namespace.(Since swf's host and url's host matched, I didn't have any problem I think).Since I have changed the domain to chat.mydomain.com:1925, Flash started to request a crossdomain.xml on chat.mydomain.com:1925. There is a crossdomain.xml file on chat.mydomain.com however I cannot serve it from chat.mydomain.com:1925. Here is my code:
Security.loadPolicyFile("https://chat.mydomain.com/crossdomain.xml");
var urlLoader:URLLoader = new URLLoader ();
var url:String = "https://chat.mydomain.com:1925/socket.io/1/";
var request:URLRequest = new URLRequest(url);
request.method = URLRequestMethod.POST;
urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.addEventListener(Event.COMPLETE, completeHandler);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR,ioErrorHandler);
urlLoader.load(request);
Since flash cannot find crossdomain.xml by getting 404, the requests in my code do not work. How can I solve this problem? How can I use the origin chat.mysite.com:1925?You're going to have to host it in a way that lets you serve HTTP/S content (at least the crossdomain.xml) on port 80 or 443 respectively.
The Flash Player Security Whitepaper has an excellent breakdown of the requirements for crossdomain policy stuff:
White paper: Adobe Flash Player 10 security | Adobe Developer Connection -
I have a rss reader builded and its working perfectly offline, it gets all the rss xml i want.
now i put the site online to test out , now it seems that nothing much happening, except the rss feed from cnn itself is working, rest just dont....
I dont get any errors or whatsoever, just nothing is loaded when i clicking on it.
now have been reseacrching and come across on the crossdomain policies >< which is kinda new to me..
I loaded it up, but still nothing happening...
i have this crossdomain.xml made.
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="http://www.norea.nl/Norea/Metanavigatie/RSS" />
</cross-domain-policy>
my questions are follows:
1. Is this the solution for me? or is it something else that bugs me?
2. do I put this on my root folder on the server or can I place it under the FOlder where the actual SWF file is located?
3. do i put on in the allow-access-from domain http://www.norea.nl/Norea/Metanavigatie/RSS/36846 or
feed://www.norea.nl/Norea/Metanavigatie/RSS/36846 or
http://www.norea.nl or
http://www.norea.nl/Norea/Metanavigatie/RSS
am using ac3 - player 10 - cs4 prof
thanks in advance!The crossdomain.xml file needs to go on the domain that's hosting the RSS feed (ie, norea.nl), not the domain that's hosting the swf. So if you have 2 domains:
www.a.com - hosting the RSS feed
www.b.com - hosting the swf
The the crossdomain.xml file goes on www.a.com and would look like:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="http://www.b.com" />
</cross-domain-policy>
or, if you wanted to allow any domain to access the RSS feed, do this:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*" />
</cross-domain-policy> -
Crossdomain.xml with Flash player 9.0.115.0
Hi gurus,
I have just spent the best part of a day wading through the
new security features of Flash Player 9.0.115.0. I use flash.socket
library, so I have discovered that error message I've been getting
will get worse, ie., next version of the Flash Player may not even
connect. So I got the good oil from
here.
I have written a crossdomain.xml file that looks like this
(it's in the www root):
<?xml version="1.0"?>
<cross-domain-policy>
<site-control
permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="192.168.5.201"
to-ports="7700"/>
</cross-domain-policy>
Problem is that the flash player adds the follwing line to
the \Logs\policyFiles.txt it generates:
Warning: Domain 192.168.5.201 does not specify a meta-policy.
Applying default meta-policy 'all'. This configuration is
deprecated. See
http://www.adobe.com/go/strict_policy_files
to fix this problem.
From my reading I have specified a meta-policy with the line:
<site-control
permitted-cross-domain-policies="master-only"/>
So my question is why can't it find the meta-policy?kcell,
thanks for the reply. Actually you are a bit ahead of me. I
have a single web-server and I'm not actually trying to cross
domains! However, the security advice says (page 4 of the link I
gave in my original post)
"A URL policy file authorizes data loading from its own HTTP,
HTTPS, or FTP server, whereas a socket policy file authorizes
socket connections to its own host."
So because I'm using a socket connection I still need a
crossdomain.xml. For this sockect connection I am going to open up
port 843 (as Adobe recommends) on my web-server for this policy to
be loaded when calling flash.socket.connect(...).
However, that isn't actually my problem. What I've also done,
I think, is added a line to my crossdomain.xml file that will
define a meta-policy, to prevent clients from other domains
accessing my server (also recommended by Adobe). The line is:
<site-control
permitted-cross-domain-policies="master-only"/>, but I don't
think my SWF is reading the file because I get that error message:
Warning: Domain 192.168.5.201 does not specify a meta-policy.
Applying default meta-policy 'all'. This configuration is
deprecated. See
http://www.adobe.com/go/strict_policy_files
to fix this problem.
Sory about the excessive waffle! -
OS = Windows 7
When I visit a site like youtube whith private browsing enabled and with the add-on named "shockwave flash" in firefox add-on list installed and activate the flashplayer by going to a video the following files are created in the folder C:\Users\MyUserName\AppData\Local\Temp\plugtmp-1
plugin-crossdomain.xml
plugin-strings-nl_NL-vflLqJ7vu.xlb
The contents of plugin-crossdomain contain both the "youtube.com" adress as "s.ytimg.com" and is as follows:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
-<cross-domain-policy> <allow-access-from domain="s.ytimg.com"/> <allow-access-from domain="*.youtube.com"/> </cross-domain-policy>
The contents of the other file I will spare you cause I think those are less common when I visit other sites but I certainly don't trust the file. The crossdomain.xml I see when I visit most other flashpayer sites as well.
I've also noticed multiple plugin-crossdomain-1.xml and onwards in numbers, I just clicked a youtube video to test, got 6 of them in my temp plus a file named "plugin-read2" (no more NL file cause I changed my country, don't know how youtube knows where I'm from, but that's another subject, don't like that either). I just noticed one with a different code:
<?xml version="1.0"?>
-<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
So I guess this one comprimises my browsing history a bit less since it doesn't contain a webadress. If these files are even meant to be deposited in my local\temp folder. The bigger problem occurs when they stay there even after using private browsing, after clearing history, after clearing internet temporary files, cache, whatever you can think of. Which they do in my case, got more than 50 plugtmp-# folders in the previous mentioned local\temp folder containing all website names I visited in the last months. There are a variety of files in them, mostly ASP and XML, some just say file. I have yet to witness such a duplicate folder creation since I started checking my temp (perhaps when firefox crashes? I'd say I've had about 50 crashes in recent months).
I started checking my temp because of the following Microsoft Security Essential warnings I received on 23-4-12:
Exploit:Java/CVE-2010-0840.HE
containerfile:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp
file:C:\Users\Username\AppData\Local\Temp\jar_cache2196625541034777730.tmp->pong/reversi.class
and...
Exploit:Java/CVE-2008-5353.ZT
containerfile:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp
file:C:\Users\Noname\AppData\Local\Temp\jar_cache1028270176376464057.tmp->Testability.class
Microsoft Security Essentials informed me that these files were quarantained and deleted but when going to my temp file they were still there, I deleted them manually and began the great quest of finding out what the multiple gigabytes of other files and folders were doing in that temp folder and not being deleted with the usual clearing options within firefox (and IE).
Note that I have set my adobe flasplayer settings to the most private intense I could think of while doing these tests (don't allow data storage for all websites, disable peer-to peer stuff, don't remember exactly anymore, etc.). I found it highly suspicious that i needed to change these settings online on an adobe website, is that correct? When right-clicking a video only limited privacy options are available which is why I tried the website thing.
After the inital discovery of the java exploit (which was discovered by MSE shortly after I installed and started my first scan with Malwarebytes, which in turn made me suspicious whether I had even downloaded the right malwarebytes, but no indication in the filename if I google it). Malwarebytes found nothing, MSE found nothing after it said it removed the files, yet it didn't remove them, manually scanning these jar_cache files with both malwarevytes and MSE resulted in nothing. Just to be sure, I deleted them anyways like I said earlier. No new jar_cache files have been created, no exploits detected since then. CCleaner has cleaned most of my temp folder, I did the rest, am blocking all cookies (except for now shortly), noscript add-on has been running a while on my firefox (V 3.6.26) to block most javascripts except from sites like youtube. I've had almost the same problem using similar manual solutions a couple of months ago, and a couple of months before that (clearing all the multiple tmp folders, removing or renaming jar_cache manually, running various antmalware software, full scan not finding a thing afterwards, installing extra add-ons to increase my security, this time it's BetterPrivacy which I found through a mozilla firefox https connection, I hope, which showed me nicely how adobe flash was still storing LSO's even after setting all storage settings to 0 kb and such on the adobe website, enabling private browsing in firefox crushed those little trolls, but still plugtmp trolls are being created, help me crush them please, they confuse me when I'm looking for a real threat but I still want to use flash, IE doesn't need those folders and files, or does it store them somewhere else?).
I'm sorry for the long story and many questions, hope it doesn't scare you away from helping me fight this. I suspect it's people wanting to belong to the hackergroup Anonymous who are doing this to my system and repeating their tricks (or the virus is still there, but I've done many antivirus scans with different programs so no need to suggest that option to me, they don't find it or I run into it after a while again, so far, have not seen jar_cache show up). Obviously, you may focus on the questions pertaining firefox and plugtmp folders, but if you can help me with any information regarding those exploits I would be extremely grateful, I've read alot but there isn't much specific information for checking where it comes from when all the anti-virus scanners don't detect anything anymore and don't block it incoming. I also have downloaded and installed process monitor but it crashes when I try to run it. The first time I tried to run it it lasted the longest, now it crashes after a few seconds, I just saw the number of events run up to almost a million and lots of cpu usage. When it crashed everything returned back to normal, or at least that's what I'm supposed to think I guess. I'll follow up on that one on their forum, but you can tell me if the program is ligit or not (it has a microsoft digital signature, or the name micosoft is used in that signature).update:
I haven't upgraded my firefox yet because of a "TVU Web Player" plugin that isn't supported in the new firefox and I'm using it occasionally, couldn't find an upgrade for it. Most of my other plugins are upgraded in the green (according to mozilla websitechecker):
Java(TM) Platform SE 6 U31 (green)
Shockwave for Director (green - from Adobe I think)
Shockwave Flash (green - why do I even need 2 of these adobe add-ons? can I remove one? I removed everything else i could find except the reader i think, I found AdobeARM and Adobe Acrobat several versions, very confusing with names constantly switching around)
Java Deployment Toolkit 6.0.310.5 (green, grrr, again a second java, why do they do this stuff, to annoy people who are plagued with java and flash exploits? make it more complicating?)
Adobe Acrobat (green, great, it's still there, well I guess this is the reader then)
TVU Web Player for FireFox (grey - mentioned it already)
Silverlight Plug-In (yellow - hardly use it, I think, unless it's automatic without my knowing, perhaps I watched one stream with it once, I'd like to remove it, but just in case I need it, don't remember why I didn't update, perhaps a conflict, perhaps because I don't use it, or it didn't report a threat like java and doesn't create unwantend and history compromising temp files)
Google Update (grey - can I remove? what will i lose? don't remember installing it, and if I didn't, why didn't firefox block it?)
Veetle TV Core (grey)
Veetle TV Player (grey - using this for watching streams on veetle.com, probably needs the Core, deleted the broadcaster that was there earlier, never chose to install that, can't firefox regulate that when installing different components? or did i just miss that option and assumed I needed when I was installing veetle add-on?)
Well, that's the list i get when checking on your site, when i use my own browseroptions to check add-ons I get a slightly different and longer list including a few I have already turned off (which also doesn't seem very secure to me, what's the point in using your site then for anything other than updates?), here are the differences in MY list:
I can see 2 versions of Java(TM) Platform SE 6 U31, (thanks firefox for not being able to copy-paste this)
one "Classic Java plug-in for Netscape and Mozilla"
the other is "next generation plug-in for Mozilla browsers".
I think I'll just turn off the Netscape and Mozilla one, don't trust it, why would I need 2? There I did it, no crashes, screw java :P
There's also a Mozilla Default plugin listed there, why does firefox list it there without any further information whether I need it or not or whether it really originates from Mozilla firefox? It doesn't even show up when I use your website plugin checker, so is there no easy way by watching this list for me to determin I can skip worrying about it?
There's also some old ones that I recently deactivated still listed like windows live photo gallery, never remember adding that one either or needing it for anything and as usual, right-clicking and "visit homepage" is greyed out, just as it is for the many java crap add-ons I encountered so far.
Doing a quick check, the only homepage I can visit is the veetle one. The rest are greyed out. I also have several "Java Console" in my extentions tab, I deactivated all but the one with the highest number. Still no Java Console visible though, even after going to start/search "java", clicking java file and changing the settings there to "show" console instead of "hide" (can't remember exact details).
There's some other extentions from noscript, TVU webplayer again, ADblock Plus and now also BetterPrivacy (sidenote, a default.LSO remains after cleanup correct? How do I know that one isn't doing anything nasty if it's code has been changed or is being changed? To prevent other LSO's I need to use both private browsing and change all kinds of restrictions online for adobe flashplayer, can anyone say absurd!!! if you think you're infected and want to improve your security? Sorry that rant was against Adobe, but it's really against Anonymous, no offense). -
#2170 error calling a webservice from Xcelsius having crossdomain.xml
Hello together,
we are facing a #2170 error indicating we don't have a proper policy file in place when executing a published Xcelsius flash in SAP BI application portal.
We created a WebService that is running an SAP BI System 7.01. The WebService is function module based and was generated following the wizzard. Afterwards we created a Xcelsius app that consumes data from this WebService (via data connection). The resulting flash from Xcelsius was pulished to SAP BI System (portal).
Since there are many entries in the SDN and the internet in general we finally also created an crossdomain.xml file on the BI system which can be accessed and is visible by using "https://<server>/crossdomain.xml".
Now the confusion begins: We exported the flash from Xcelsius to local desktop and executed the corresponding HTML-file. It's working and I can receive/see WebService data (after adjusting flash-security-settings). If we upload both exported files (html and swf) to the BI system (as MIME objects) and execute the html again we are also receiving WebServervice data. So far so good. But if we execute the link from the SAP BI Portal (Xcelsius menu > SAP > Start) we still get the error #2170 indicating we don't have a proper domain policy file in place. But for my understanding we do have. So currently I would assume the error message is somehow misleading.
During all the activities I found out that this error is also raised if the user has insufficient authorization. My user has SAP_ALL authorization for testing purpose.
In general I would say we are not that wrong with our Xcelsius/WebService if we are not coming from BI portal. So my questions are:
1.) Are there any authorization on portal side that might not fit and lead to this error? If insufficient authorizations produces such an error ...
2.) Did we miss any other stuff during our try/fail-operations?
Many thanks in advance for your hints.
SteffenHi Rajat,
This is how the default trace looks
FATAL: Application Servlet failed to notify devices.
Caught java.rmi.RemoteException: Service call exception; nested exception is:
com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (503) Service Unavailable. The requested URL was:"http://<<server>>:50000/ManagementService/ManagementService?style=document"
at com.om.mws.standaloneproxy.ManagementServiceBindingStub.notifyDevice(ManagementServiceBindingStub.java:1289)
at com.om.mws.standaloneproxy.ManagementServiceBindingStub.notifyDevice(ManagementServiceBindingStub.java:1298)
at com.om.ApplicationServlet$NotifyDevices.run(ApplicationServlet.java:86)
Caused by: com.sap.engine.services.webservices.jaxrpc.exceptions.InvalidResponseCodeException: Invalid Response Code: (503) Service Unavailable. The requested URL was:"http://<<server>>:50000/ManagementService/ManagementService?style=document"
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.handleResponseMessage(MimeHttpBinding.java:980)
at com.sap.engine.services.webservices.jaxrpc.wsdl2java.soapbinding.MimeHttpBinding.call(MimeHttpBinding.java:1430)
at com.om.mws.standaloneproxy.ManagementServiceBindingStub.notifyDevice(ManagementServiceBindingStub.java:1282)
... 2 more
java.lang.NoSuchMethodError
at java.lang.Thread.destroy(Thread.java:779)
at com.omApplicationServlet$NotifyDevices.run(ApplicationServlet.java:92)
Rgds
Shashank -
Security Error in accessing Web service from Flex.Where to put crossdomain.xml in axis container?
Hi guys.
Typically webservices are invoked across domains. Flash has defined certain policies which prevent crossdomain access. The only way to bypass this security feature is to put a crossdomain.xml file within the server root of the webservice provider i.e. in our case at http://abc.com. A sample example of crossdomain.xml is as below:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>
If the crossdomain.xml is not added the developer will get “Security Error accessing URL” type of messages.
The above mentioned information should be enough for you to get your flex based WebService client up and running.
We are using axis2 to build webservices. We deployed the webservices under axis2 container under repository/srvices folder . But in Flex when we try to call the webservices we were getting the exception saying security error in accessing url. The solution is we need to put the crossdomain.xml o that it is loaded at runtime and allow us to access. In tomcat if we put the file under ROOT directory we could accss the file and we were able to access the webservices deployed under Tomcat. But I googled for Axis2 container and couldnt find any solution.
Please post the reply if anyone knows the solution to it.
Thanks
RajaHi. So, I did take a quick look at the Axis2 standalone server and didn't see any way to server up a file such as crossdomain.xml. It seems like it might be a useful enhancement to have the ability to serve up files even if this functionality was very simple/limited and nothing like a full blown http server.
I'd log an enhancement request against axis2 if this is something you'd like to have.
http://issues.apache.org/jira/browse/AXIS2
-Alex -
Where to place crossdomain.xml in SAP ECC IDES?
Hi,
I have a flex application which uses webservices generated in SAP IDES system. This flex app is stored in portal server. Since the physical servers are involved, I get a security error message, which says, "Security error accessing url". I browsed through the net and found that, we have to place a crossdomain.xml file in the web root folder of the server from where we are fetching the data. In my case, it would be SAP IDES system.
I wanted to know where do I place this xml file in IDES? What would be it's location and how can I generate a URL to access this xml file?
Please let me know about this, if anyone has done this before.
Appreciate your help.
Thank you,
Warm regards,
DeepakHi Durairaj,
As mentioned in that thread, I created a BSP application in the server and loaded crossdomain.xml. It was accessible from the browser too.
This is the xml code which is there in crossdomain:
<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
But this did not solve my purpose
I have my flex application in a server, servera.abc.com and I am using the webservices of another server, serverb.abc.com
I uploaded the crossdomain.xml in serverb.abc.com, in the following path through a BSP application:
http://serverb.abc.com:8000/sap/bc/bsp/sap/zroot/crossdomain.xml
But I still get the 'security accessing url' message in flex. It doesn't load the wsdl.
I'm also using this piece of code in initialize event of the application in flex:
private function initSecurity():void{
Security.allowDomain("*");
Security.loadPolicyFile("http://serverb.abc.com:8000/sap/bc/bsp/sap/zroot/crossdomain.xml");
Alert.show("crossdomain xml loaded....");
Where am I going wrong here? -
Apache proxypass and crossdomain.xml not working
Hi everyone,
I have the following problem. I have set up jboss on a Linux server connecting to local port 8080 (localhost:8080).
I have opened the application on port 80 with Apache ( www.myDomain.com) and set up a virtual host that proxies
this connection to localhost:8080 where jboss is listening.
<VirtualHost *:80>
DocumentRoot /var/www/nyDomain
ServerName myDomain.com
Alias /crossdomain.xml /var/www/html/crossdomain.xml
# proxy pass to the jboss server
<IfModule mod_proxy.c>
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from all
</Proxy>
ProxyPass /Stylect http://127.0.0.1:8081/Stylect
ProxyPassReverse /Stylect http://127.0.0.1:8081/Stylect
# ProxyPreserveHost on
</IfModule>
</VirtualHost>
The crossdomain.xml file is at the root of the server and can be accessed with www.mydomain.com/crossdomain.xml
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*" to-ports="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
I can see in firebug that it's being downloaded when I first request the page - this is the response:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Software as a Service Development. </title>
<META name="description" content="Description here"><META name="keywords" content="Saas, fashion design, plm, production, nutrition, food, orders">
</head>
<frameset rows="100%,*" border="0">
<frame src="http://xxx.xxx.xxx.xx/crossdomain.xml" frameborder="0" />
<frame frameborder="0" noresize />
</frameset>
<!-- pageok -->
<!-- 04 -->
<!-- -->
</html>
Yet I still get a 2048 sandbox violation error.
The crossdomain is needed because the proxied request
appears to be coming from the public ip while jboss
is bound to the local host.
If I expose Jboss directly to the web all works well but there
are too many security issues in that setup. Apache as a front is
much better.
The question is: is this the correct response I should be getting
(or should it be directly the xml file) and why is it not working?
How can I fix this?
Any help much appreciated. I'm stuck.
DahnTry adding security="false" inside the next line:
<allow-access-from domain="*"/>
so it would look something like
<allow-access-from domain="*" security="false" />
It fixed the problem for me.
Maybe you are looking for
-
How do I get time machine to see my Seagate external drive? I
I continue to have trouble getting the machine to ID an external drive for time machine. I bought a new external, Seagate, installed it and things were fine, until I had to move my computer due to home repairs. I ejected the Seagate as part of the
-
Ipod Touch 1st Gen not starting up past the apple logo
When I start it up i see the apple logo for about 15sec then it turns off. I've tried putting it into safe mode by holding the Power and Home button for 30sec but all it does is turn on and off twice then nothing happens. Any ideas on how to fix this
-
I plugged my phone into my computer and iTunes indicated I needed to restore my phone. don'r know why, it was fine before I retired for the night I get itunes saying it extracted software then prepped the phone for resotre bu now my phone is hung up
-
Making a printed BANNER using cont. feed banner PAPER
does anyone have any idea if I can make a banner (8/12 x 36") using continous feed paper in my printer? I have the trial verison of Pages '08 which came with my new iMac. (I am a mac newbie) For years I easily made printed banners (using up to 5 shee
-
Log in details number not working with CC updater?
Just over the last week or so I seem unable to loggin and update apps. I updated everything to CC 2014 a few weeks back but now cannot seem to get the updater to accept my details. They are the same details that I used to successfully log in here tod