We encountered a new error yesterday. One of our clients has a Flex app that retrieves data from a different server over https (which are hosted on a dedicated server separate from the Flex app). Sometimes it worked; sometimes it failed w/the following message:
The following unexpected error has occured: [FaultEvent fault=[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTPS"] messageId="8A80F18A-13CB-7C33-D013-5729AB4FAF80" type="fault" bubbles=false cancelable=true eventPhase=2]
After Tyler and worked on it for an hour, analyzing it with proxies, etc., we came to the following realization: it only appears when contacting the webservice over https using the latest release of Flash (9.0.124). Previous interations (9.0.115 and earlier) do not suffer from this problem.
What happens is that the crossdomain.xml is requested and downloaded. Normally at this point, we would witness the retrieval of the webservice's wsdl file; but instead nothing happens--the wsdl file is never even requested. Instead this error pops up.
Adobe made some changes to the security sandbox in 124, so we suspect this is where the problem lies. There are new options that can be set in the crossdomain.xml (e.g. <allow-http-request-headers-from>), and we suspect that this is the origin of the problem. Adobe has posted Technote kb403185, which looks like a promising solution.
The short of synopsis is that you cannot make SOAP calls outside the domain where the swf is hosted, without adding the following to the crossdomain.xml policy file:
<allow-http-request-headers-from domain="www.example.com" headers="SOAPAction"/>
So the complete file might look like the following:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<!--This domain can accept the SOAPAction header from a SWF file from www.example.com -->
<allow-http-request-headers-from domain="www.example.com" headers="SOAPAction"/>
</cross-domain-policy>
Justin Everett turned me on to a similar issue caused by 9.0.124, and deserves credit for instigating my thought process.
Aug 12, 2008 at 9:14 PM I am having problems with installation of adobe flash player.
Can you help Please
Sep 18, 2008 at 7:19 AM Great stuff, helped me to get rid of this error in our Flex app!
Thnx!
@Aturpin
LOL
Oct 17, 2008 at 4:08 PM Thank you, that was the exact thing I needed to solve the issue.
Feb 10, 2009 at 5:59 AM thank you! this helped us solve our webservice error
Feb 24, 2009 at 11:25 AM Thanks for posting this! The docs are crap and I have been struggling to understand this error myself.
Great explanation!
Mar 18, 2009 at 2:27 PM What Dan said. I struggled with this forever before I gave up.
Jul 12, 2009 at 6:42 PM Thanks a lot!
I have developed flex application for biggest russian social network. Now my app can exchange data with 2 servers on different domains
Sep 16, 2009 at 10:36 AM Hi,
i am experiencing the same problem,
and did as explained in this blog,
but i am not anle to load the wsdl in swf and still getting "Unable to load WSDL" Error,
any help will be appriciated.
Thank You.
Bhavika
Sep 16, 2009 at 10:38 AM Hi,
i am experiencing the same problem,
and did as explained in this blog,
but i am not anle to load the wsdl in swf and still getting "Unable to load WSDL" Error,
any help will be appriciated.
Thank You.
Bhavika
Nov 4, 2009 at 1:39 AM where do i get more information on this
Nov 13, 2009 at 5:42 AM I often read your blog and always find it very interesting. Thought it was about time i let you know…Keep up the great work
Nov 19, 2009 at 6:58 PM Ah, four hours of troubleshooting and this was just what I needed. Thanks a bunch!
Feb 3, 2010 at 3:02 PM It kind of solved my problem... now I don't have an error when i open the web application on the server. But i still have that problem when i open it on another computer. Any ideas?
Thanx ;)
Feb 4, 2010 at 8:35 AM Hello,
I am having error of cross domain policy. I am working on PHP FlEX project. Due to some reason i want to call one JSP file through HTTPservice. JSP file returns string value value true or false.
But while running the application it gives me channel's security error. I include cross domain policy file. But It is giving the same error.
Will you please help me to solve this problem.
Thanx in advance
Regards,
Pradip Jadhav
Mar 31, 2010 at 4:25 PM Can you let me know where to host this cross domain policy file? Can I put it under some directory in my application? How to reference it in mxml code file?
Mar 31, 2010 at 5:06 PM @Neha: The policy file goes in the root directory of the server hosting your data.
Jun 5, 2010 at 9:11 AM Even though I added the crossdomain.xml file to the root directory of the webapp and the flex project. I still get this error. Suggestions please.
Jun 5, 2010 at 9:16 AM [RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]
at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::faultHandler()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\rpc\AbstractInvoker.as:345]
at mx.rpc::Responder/fault()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\rpc\Responder.as:68]
at mx.rpc::AsyncRequest/fault()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\rpc\AsyncRequest.as:113]
at DirectHTTPMessageResponder/securityErrorHandler()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\messaging\channels\DirectHTTPChannel.as:432]
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at flash.net::URLLoader/redirectEvent()
Jun 6, 2010 at 1:41 PM @Mary: try running the app w/a proxy (e.g. Charles), and determine if the crossdomain files is being successfully loaded. Additionally, if you are using Flash Builder w/network monitoring turned on, there may be additional issues surrounding crossdomain.
Jul 6, 2010 at 9:04 PM I am getting the same message as an alert stating "Channel.Security.Error" with message "Security Error accessing url".. when I am running my flex application in weblogic 9.2 server which makes bunch of soap based calls with different WSDL's to get the meta data of the services.. This error I am getting in my local machine.. where should I put the crossdomain.xml file for my weblogic server..
Thanks a lot in advance..
Venkat.
Jul 7, 2010 at 2:58 PM @Venkat: your crossdomain.xml file would go in the root of the weblogic server. Since that is probably not possible (you want to deploy the crossdomain.xml into your app context), you may have to specify in your flex app where the policyfile is located), you will have to specify the location of the file via loadPolicyFile().
Jul 7, 2010 at 9:57 PM Hi Scott,
Thanks for responding me..
I have tried putting the crossdomain.xml file for the following locations, but was unsucessfull in invoking the webservices. The same application while executing as standalone application.. it does invokes the webservices.. but when you deploy the application in the weblogic 9.2, it doesn't invoke the webservices.
c:\bea\crossdomain.xml.
c:\bea\weblogic92\crossdomain.xml.
c:\bea\weblogic92\server\crossdomain.xml.
c:\bea\user_projects\crossdomain.xml.
c:\bea\user_projects\domains\crossdomain.xml.
c:\bea\user_projects\domains\wblgcagissrv1(server instance)\crossdomain.xml
and even in the Flex applications root folder also I tried like.
(project path)\(prject name)\src\crossdomain.xml.
(project path)\(prject name)\WebContent\crossdomain.xml.
(project path)\(prject name)\WebContent\WEB-INF\crossdomain.xml.
Nothing worked out.. I spent most of the time on this error.. but could not resolved so far. Where do we have to specify the policyfile in flex application code.. for example the file I am invoking the webservices.. should call the loadPolicyFile() method first and then do the webservices invocation ? If you have an example for this please share that.
Once again Thanks a lot for responding.
-Venkat.
Jul 8, 2010 at 9:17 AM @Venkat: Try running the application with a client-side proxy (e.g. Charles, ServiceCapture). That will tell you from where the crossdomain is being requested. It might turn out to be a permissions issue. Another possibility is that it is actually unrelated to crossdomain.
Clear you browser cache and fire up the proxy. You should see a request going out for crossdomain.xml if one is really needed.
Note that I am assuming that you are compiling for network access (compiler argument -use-network=true instead of =false).
Jul 9, 2010 at 10:08 AM Hi Scott,
I am sorry to say, I am new to this flex stuff.. I don't know how to run the application as said like
"Try running the application with a client-side proxy (e.g. Charles, ServiceCapture)".
Generally I alway run application through eclipse plugin'd flex builder.. I have created weblogic 9.2 server instance and configured to the flex builder.. I will run application by clicking "Run on Server" from the corresponding menu..
I will run the appliction in stand alone mode by right clicking on the home/index.html file for corresponding .swf file's saying that open with Internet explorer/ Fire Fox browser, and from there it goes with invoking remaing swf modules files.. in which calling the soap webservices from one of the action script class to get the meta data of the rest based webservices...
Please Note: Soap and Rest based services are running on server, which is remote, I am having my local box with Flexbuilder and weblogic 9.2 installed in it, and invoking the webservices which are running at the erver from my local. Webservices are not running in my local.
This error is killing my time.
How should I run the application with "client-side proxy".
Thankyou so much.
-Venkat.
Jul 9, 2010 at 10:43 AM Hi Scott,
I am sorry to say, I am new to this flex stuff.. I don't know how to run the application as said like
"Try running the application with a client-side proxy (e.g. Charles, ServiceCapture)".
Generally I alway run application through eclipse plugin'd flex builder.. I have created weblogic 9.2 server instance and configured to the flex builder.. I will run application by clicking "Run on Server" from the corresponding menu..
I will run the appliction in stand alone mode by right clicking on the home/index.html file for corresponding .swf file's saying that open with Internet explorer/ Fire Fox browser, and from there it goes with invoking remaing swf modules files.. in which calling the soap webservices from one of the action script class to get the meta data of the rest based webservices...
Please Note: Soap and Rest based services are running on server, which is remote, I am having my local box with Flexbuilder and weblogic 9.2 installed in it, and invoking the webservices which are running at the erver from my local. Webservices are not running in my local.
This error is killing my time.
How should I run the application with "client-side proxy".
Thankyou so much.
-Venkat.
Jul 13, 2010 at 9:44 AM @venkat: First of all, deploy your app to the weblogic server; that is where it needs to go anyway. And then run it from there. This may solve all your problems. Currently, you are running it w/in the local filesystem, meaning that w/o setting up global permissions on the flashplayer, you cannot access the internet (your webservices). When you run it from the webserver (http:// instead of file://) you can access those services.
Regarding a client-side proxy, download and install Charles (http://www.charlesproxy.com/) and you will see your http and soap requests going out.
Also, if you are using FlashBuilder 4, turn off the network monitor for you project and recompile; that often helps as well.
Jul 19, 2010 at 8:49 AM Hi Scott,
This error I am getting only after deploying the application in weblogic server and invoking the application, which intern calls the webservices that are located in some remote ArcGIS servers. As I said early, I am not getting any error messages without deploying the application in the weblogic server, i.e I am invoking as you said.. something like.. file://{path}/index.html.. with this I able to invoke the services.. but unable to invoke the services after deploy in weblogic server. How will setup global permissions on flash player to access the services from the weblogic server
I am using Flex Builder 3 not 4 (Flash Builder).
-Regards.
Venkat.
Jul 19, 2010 at 9:18 AM @Venkat--This sounds absolutely correct. But you still have not reported the results of installing charles. It sounds like your app is trying to access web services hosted outside of its security sandbox. Installing and running Charles should tell you whether a crossdomain.xml file is being requested.
Read and re-read Adobe's articles on the security sandbox. Simple search for "flashplayer crossdomain.xml" and you will get a host of results.
Jul 22, 2010 at 3:53 PM Hi Scott,
Got resolved the issue with the help of admin person in updating the crossdomin.xml which is located in the remote server. Now I am able to make call's to the service both rest based and soap based as well.. from local weblogic server.
Many Thanks for resolving the issue on "Channel.Security.Error".
I appreciate you for your blog..
Keep it up sir..
Once again Thanks alot.
-Venkat.
Jul 22, 2010 at 4:18 PM I installed the charles http debugging tool(trial one).. but it complaing me about the JVM(unable to load / find the JVM).. got frustrated with that.. when I am able to do 'javac' and 'java' commands from the command prompt..why not this tool doesn't find the JVM.
anyway my issue got resolved for now.
Thanks.
-Venkat.
Sep 20, 2010 at 12:35 AM I see this error when running from desktop. I don't see it when I am running this from my bin-debug directory. Not sure if changing the crossdomain.xml will take care of this. Ideas anyone???
Sep 20, 2010 at 9:08 AM @sam: If you are running from the desktop, you may need to change your sandbox from local file system to network.
Have a look at http://livedocs.adobe.com/flex/3/html/help.html?content=05B_Security_04.html
Basically, you need to add a compiler setting to your flex project.
Oct 13, 2010 at 10:20 AM Thanks ALOT.. I was pulling my hair out!
why don't adobe announce it clearly?!?
Thanks again,
Nov 23, 2010 at 3:52 AM Hello!
Many Many Many thanks to you!
I had been struggling with this error for 3-4 days, but finally came across this page and the version difference today!
Excellent, concise post! :) Appreciate it.
Shubhanan
Dec 29, 2010 at 2:39 AM I think that the articles give the instruction of mine in time,and i like it very much.
Jan 29, 2011 at 5:46 AM Lightbulb moment! Thx
Mar 28, 2011 at 11:23 AM Hi,
Thanks a lot for that line of code that saved my life !
So my webservice worked via http. Cool.
But after wasting a couple of hours (again) trying to call my wsdl hosted in a https URL, I realize that the node <allow-http-request-headers-from /> needs an attibute "secure=false" to allow calls from an unsecured URL.
In the end my crossdomain.xml looks like this :
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">;
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="Authorization,X-HTTP-Method-Override,SOAPAction" secure="false"/>
</cross-domain-policy>
Note the attribute 'secure="false"' for both "allow-access-from" and "allow-http-request-headers-from" nodes.
I assume that the first one is for script calls and the second one for passing some request headers from unsecured URLs.
Thanks again!
Apr 12, 2011 at 3:24 AM @Venkat, could you be a little more specific as to what your administrator did in order for the error to go away? Thanks!
Trifon
Sep 23, 2011 at 2:50 AM Dear author
I am new on flex I develop a flex application which access data fro server using php the application runs fine when work on localhost but when I tried to acess from any other domain flex datagrid appears but it can't fetch data and gives error "securoty error in aceessing protocol".
I placed the cross domian file on the root folder of my server still can't acess.
my cross domain file is :
<?xml version="1.0"?>
<cross-domain-policy>
<allow-http-request-from domain="http://192.168.4.68"/>;
</cross-domain-policy>
plz help
Thanks in advance
Sep 23, 2011 at 7:20 AM @Divya
The way you have set up your crossdomain allows only access from that specific IP (192.168.4.68). Is your swf being hosted at that IP? Note also that you need to not only host the swf at that IP, but also access it (http://192.168.4.68) from that IP instead of using a host-header (http://www....).
I would pull down Charles in order to check what exactly is being downloaded. For, example, is it requesting (and finding) your crossdomain file.
-Scott
Apr 10, 2012 at 8:08 AM i m doing a server socket connection in flex sdk in netbeans IDE with a java server program and flex as my client program. i make the connection 1st but it shows security error exception in flex environment.what should i do............to solve my problem...........
can anyone help me..................
Oct 24, 2012 at 1:12 PM Hi
I am trying to run a Flex app in which data is being accessed from another server over http. Web service hosted on that server is working perfectly fine but my app is not able to get the data(i guess). I came across this blog and made the changes in the crossdomain.xml file as directed (which is present at the roort folder of that server hosting the web service) BUt I am still getting the error "Security Error accessing URL"
Can ny1 plz help me figure out the problem.
wat else info do i need to have abt .swf file being loaded. I am not sure if i am making any mistake regaring the path of swf file.
How can I make sure my crossdomain file is successfully being loaded or not.
Plz Help
Thanx in advance
Sonali
Oct 24, 2012 at 1:42 PM @Sonali: what is the url of the page having problems? I'll pull it up in a reverse proxy to see if your crossdomain is set up correctly.