Flash 9.0.124 and webservices: Channel.Security.Error

Flex / AIR , Flash Add comments

We encountered a new error yesterday.  One of our clients has a Flex app that retrieves data from a different server over https (which are hosted on a dedicated server separate from the Flex app).  Sometimes it worked; sometimes it failed w/the following message:

Channel.Security.Error screenshotThe following unexpected error has occured: [FaultEvent fault=[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTPS"] messageId="8A80F18A-13CB-7C33-D013-5729AB4FAF80" type="fault" bubbles=false cancelable=true eventPhase=2]

After Tyler and worked on it for an hour, analyzing it with proxies, etc., we came to the following realization: it only appears when contacting the webservice over https using the latest release of Flash (9.0.124).  Previous interations (9.0.115 and earlier) do not suffer from this problem.

What happens is that the crossdomain.xml is requested and downloaded.  Normally at this point, we would witness the retrieval of the webservice's wsdl file; but instead nothing happens--the wsdl file is never even requested.  Instead this error pops up.

Adobe made some changes to the security sandbox in 124, so we suspect this is where the problem lies.  There are new options that can be set in the crossdomain.xml (e.g. <allow-http-request-headers-from>), and we suspect that this is the origin of the problem.  Adobe has posted Technote kb403185, which looks like a promising solution. 

The short of synopsis is that you cannot make SOAP calls outside the domain where the swf is hosted, without adding the following to the crossdomain.xml policy file:

 <allow-http-request-headers-from domain="www.example.com" headers="SOAPAction"/>

So the complete file might look like the following:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <!--This domain can accept the SOAPAction header from a SWF file from www.example.com -->
   <allow-http-request-headers-from domain="www.example.com" headers="SOAPAction"/>
</cross-domain-policy> 

Justin Everett turned me on to a similar issue caused by 9.0.124, and deserves credit for instigating my thought process.

44 responses to “Flash 9.0.124 and webservices: Channel.Security.Error”

  1. aturpin Says:
    I am having problems with installation of adobe flash player.

    Can you help Please
  2. Robbert Says:
    Great stuff, helped me to get rid of this error in our Flex app!
    Thnx!

    @Aturpin
    LOL
  3. Blake K. Says:
    Thank you, that was the exact thing I needed to solve the issue.
  4. dai Says:
    thank you! this helped us solve our webservice error
  5. Dan Says:
    Thanks for posting this! The docs are crap and I have been struggling to understand this error myself.

    Great explanation!
  6. Shannon Hicks Says:
    What Dan said. I struggled with this forever before I gave up.
  7. ruX Says:
    Thanks a lot!
    I have developed flex application for biggest russian social network. Now my app can exchange data with 2 servers on different domains
  8. Bhavika Says:
    Hi,
    i am experiencing the same problem,
    and did as explained in this blog,
    but i am not anle to load the wsdl in swf and still getting "Unable to load WSDL" Error,
    any help will be appriciated.
    Thank You.
    Bhavika
  9. Bhavika Says:
    Hi,
    i am experiencing the same problem,
    and did as explained in this blog,
    but i am not anle to load the wsdl in swf and still getting "Unable to load WSDL" Error,
    any help will be appriciated.
    Thank You.
    Bhavika
  10. hockey fights Says:
    where do i get more information on this
  11. herry Says:
    I often read your blog and always find it very interesting. Thought it was about time i let you know…Keep up the great work
  12. durnin Says:
    Ah, four hours of troubleshooting and this was just what I needed. Thanks a bunch!
  13. Pedro Says:
    It kind of solved my problem... now I don't have an error when i open the web application on the server. But i still have that problem when i open it on another computer. Any ideas?
    Thanx ;)
  14. Pradip Jadhav Says:
    Hello,

    I am having error of cross domain policy. I am working on PHP FlEX project. Due to some reason i want to call one JSP file through HTTPservice. JSP file returns string value value true or false.

    But while running the application it gives me channel's security error. I include cross domain policy file. But It is giving the same error.

    Will you please help me to solve this problem.

    Thanx in advance

    Regards,
    Pradip Jadhav
  15. Neha Says:
    Can you let me know where to host this cross domain policy file? Can I put it under some directory in my application? How to reference it in mxml code file?
  16. Scott Talsma Says:
    @Neha: The policy file goes in the root directory of the server hosting your data.
  17. Mary Says:
    Even though I added the crossdomain.xml file to the root directory of the webapp and the flex project. I still get this error. Suggestions please.
  18. Mary Says:
    [RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]
       at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::faultHandler()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\rpc\AbstractInvoker.as:345]
       at mx.rpc::Responder/fault()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\rpc\Responder.as:68]
       at mx.rpc::AsyncRequest/fault()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\rpc\AsyncRequest.as:113]
       at DirectHTTPMessageResponder/securityErrorHandler()[E:\dev\4.0.0\frameworks\projects\rpc\src\mx\messaging\channels\DirectHTTPChannel.as:432]
       at flash.events::EventDispatcher/dispatchEventFunction()
       at flash.events::EventDispatcher/dispatchEvent()
       at flash.net::URLLoader/redirectEvent()
  19. Scott Talsma Says:
    @Mary: try running the app w/a proxy (e.g. Charles), and determine if the crossdomain files is being successfully loaded. Additionally, if you are using Flash Builder w/network monitoring turned on, there may be additional issues surrounding crossdomain.
  20. Venkat Says:
    I am getting the same message as an alert stating "Channel.Security.Error" with message "Security Error accessing url".. when I am running my flex application in weblogic 9.2 server which makes bunch of soap based calls with different WSDL's to get the meta data of the services.. This error I am getting in my local machine.. where should I put the crossdomain.xml file for my weblogic server..

    Thanks a lot in advance..

    Venkat.
  21. Scott Talsma Says:
    @Venkat: your crossdomain.xml file would go in the root of the weblogic server. Since that is probably not possible (you want to deploy the crossdomain.xml into your app context), you may have to specify in your flex app where the policyfile is located), you will have to specify the location of the file via loadPolicyFile().
  22. Venkat Says:
    Hi Scott,


    Thanks for responding me..

    I have tried putting the crossdomain.xml file for the following locations, but was unsucessfull in invoking the webservices. The same application while executing as standalone application.. it does invokes the webservices.. but when you deploy the application in the weblogic 9.2, it doesn't invoke the webservices.

    c:\bea\crossdomain.xml.
    c:\bea\weblogic92\crossdomain.xml.
    c:\bea\weblogic92\server\crossdomain.xml.
    c:\bea\user_projects\crossdomain.xml.
    c:\bea\user_projects\domains\crossdomain.xml.
    c:\bea\user_projects\domains\wblgcagissrv1(server instance)\crossdomain.xml

    and even in the Flex applications root folder also I tried like.

    (project path)\(prject name)\src\crossdomain.xml.
    (project path)\(prject name)\WebContent\crossdomain.xml.
    (project path)\(prject name)\WebContent\WEB-INF\crossdomain.xml.

    Nothing worked out.. I spent most of the time on this error.. but could not resolved so far. Where do we have to specify the policyfile in flex application code.. for example the file I am invoking the webservices.. should call the loadPolicyFile() method first and then do the webservices invocation ? If you have an example for this please share that.

    Once again Thanks a lot for responding.

    -Venkat.
  23. Scott Talsma Says:
    @Venkat: Try running the application with a client-side proxy (e.g. Charles, ServiceCapture). That will tell you from where the crossdomain is being requested. It might turn out to be a permissions issue. Another possibility is that it is actually unrelated to crossdomain.

    Clear you browser cache and fire up the proxy. You should see a request going out for crossdomain.xml if one is really needed.

    Note that I am assuming that you are compiling for network access (compiler argument -use-network=true instead of =false).
  24. Venkat Says:
    Hi Scott,

    I am sorry to say, I am new to this flex stuff.. I don't know how to run the application as said like
    "Try running the application with a client-side proxy (e.g. Charles, ServiceCapture)".

    Generally I alway run application through eclipse plugin'd flex builder.. I have created weblogic 9.2 server instance and configured to the flex builder.. I will run application by clicking "Run on Server" from the corresponding menu..

    I will run the appliction in stand alone mode by right clicking on the home/index.html file for corresponding .swf file's saying that open with Internet explorer/ Fire Fox browser, and from there it goes with invoking remaing swf modules files.. in which calling the soap webservices from one of the action script class to get the meta data of the rest based webservices...

    Please Note: Soap and Rest based services are running on server, which is remote, I am having my local box with Flexbuilder and weblogic 9.2 installed in it, and invoking the webservices which are running at the erver from my local. Webservices are not running in my local.

    This error is killing my time.

    How should I run the application with "client-side proxy".


    Thankyou so much.

    -Venkat.
  25. Venkat Says:
    Hi Scott,

    I am sorry to say, I am new to this flex stuff.. I don't know how to run the application as said like
    "Try running the application with a client-side proxy (e.g. Charles, ServiceCapture)".

    Generally I alway run application through eclipse plugin'd flex builder.. I have created weblogic 9.2 server instance and configured to the flex builder.. I will run application by clicking "Run on Server" from the corresponding menu..

    I will run the appliction in stand alone mode by right clicking on the home/index.html file for corresponding .swf file's saying that open with Internet explorer/ Fire Fox browser, and from there it goes with invoking remaing swf modules files.. in which calling the soap webservices from one of the action script class to get the meta data of the rest based webservices...

    Please Note: Soap and Rest based services are running on server, which is remote, I am having my local box with Flexbuilder and weblogic 9.2 installed in it, and invoking the webservices which are running at the erver from my local. Webservices are not running in my local.

    This error is killing my time.

    How should I run the application with "client-side proxy".


    Thankyou so much.

    -Venkat.
  26. Scott Talsma Says:
    @venkat: First of all, deploy your app to the weblogic server; that is where it needs to go anyway. And then run it from there. This may solve all your problems. Currently, you are running it w/in the local filesystem, meaning that w/o setting up global permissions on the flashplayer, you cannot access the internet (your webservices). When you run it from the webserver (http:// instead of file://) you can access those services.

    Regarding a client-side proxy, download and install Charles (http://www.charlesproxy.com/) and you will see your http and soap requests going out.

    Also, if you are using FlashBuilder 4, turn off the network monitor for you project and recompile; that often helps as well.
  27. Venkat Says:
    Hi Scott,


    This error I am getting only after deploying the application in weblogic server and invoking the application, which intern calls the webservices that are located in some remote ArcGIS servers. As I said early, I am not getting any error messages without deploying the application in the weblogic server, i.e I am invoking as you said.. something like.. file://{path}/index.html.. with this I able to invoke the services.. but unable to invoke the services after deploy in weblogic server. How will setup global permissions on flash player to access the services from the weblogic server
    I am using Flex Builder 3 not 4 (Flash Builder).

    -Regards.
    Venkat.
  28. Scott Talsma Says:
    @Venkat--This sounds absolutely correct. But you still have not reported the results of installing charles. It sounds like your app is trying to access web services hosted outside of its security sandbox. Installing and running Charles should tell you whether a crossdomain.xml file is being requested.

    Read and re-read Adobe's articles on the security sandbox. Simple search for "flashplayer crossdomain.xml" and you will get a host of results.
  29. Venkat Says:
    Hi Scott,

    Got resolved the issue with the help of admin person in updating the crossdomin.xml which is located in the remote server. Now I am able to make call's to the service both rest based and soap based as well.. from local weblogic server.
    Many Thanks for resolving the issue on "Channel.Security.Error".

    I appreciate you for your blog..
    Keep it up sir..

    Once again Thanks alot.

    -Venkat.
  30. Venkat Says:
    I installed the charles http debugging tool(trial one).. but it complaing me about the JVM(unable to load / find the JVM).. got frustrated with that.. when I am able to do 'javac' and 'java' commands from the command prompt..why not this tool doesn't find the JVM.

    anyway my issue got resolved for now.

    Thanks.
    -Venkat.
  31. sam Says:
    I see this error when running from desktop. I don't see it when I am running this from my bin-debug directory. Not sure if changing the crossdomain.xml will take care of this. Ideas anyone???
  32. Scott Talsma Says:
    @sam: If you are running from the desktop, you may need to change your sandbox from local file system to network.

    Have a look at http://livedocs.adobe.com/flex/3/html/help.html?content=05B_Security_04.html

    Basically, you need to add a compiler setting to your flex project.
  33. Walied Youssry Says:
    Thanks ALOT.. I was pulling my hair out!
    why don't adobe announce it clearly?!?
    Thanks again,
  34. shubhanan Says:
    Hello!
    Many Many Many thanks to you!
    I had been struggling with this error for 3-4 days, but finally came across this page and the version difference today!

    Excellent, concise post! :) Appreciate it.

    Shubhanan
  35. wow gold Says:
    I think that the articles give the instruction of mine in time,and i like it very much.
  36. Nethod Says:
    Lightbulb moment! Thx
  37. Simon Briche Says:
    Hi,
    Thanks a lot for that line of code that saved my life !
    So my webservice worked via http. Cool.

    But after wasting a couple of hours (again) trying to call my wsdl hosted in a https URL, I realize that the node <allow-http-request-headers-from /> needs an attibute "secure=false" to allow calls from an unsecured URL.
    In the end my crossdomain.xml looks like this :

    <?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">;
    <cross-domain-policy>
       <allow-access-from domain="*" secure="false" />
       <allow-http-request-headers-from domain="*" headers="Authorization,X-HTTP-Method-Override,SOAPAction" secure="false"/>
    </cross-domain-policy>

    Note the attribute 'secure="false"' for both "allow-access-from" and "allow-http-request-headers-from" nodes.
    I assume that the first one is for script calls and the second one for passing some request headers from unsecured URLs.

    Thanks again!
  38. Tricho340 Says:
    @Venkat, could you be a little more specific as to what your administrator did in order for the error to go away? Thanks!

    Trifon
  39. Divya Agarwal Says:
    Dear author
    I am new on flex I develop a flex application which access data fro server using php the application runs fine when work on localhost but when I tried to acess from any other domain flex datagrid appears but it can't fetch data and gives error "securoty error in aceessing protocol".
    I placed the cross domian file on the root folder of my server still can't acess.
    my cross domain file is :


    <?xml version="1.0"?>
    <cross-domain-policy>
    <allow-http-request-from domain="http://192.168.4.68"/>;
    </cross-domain-policy>

    plz help

    Thanks in advance
  40. Scott Talsma Says:
    @Divya

    The way you have set up your crossdomain allows only access from that specific IP (192.168.4.68). Is your swf being hosted at that IP? Note also that you need to not only host the swf at that IP, but also access it (http://192.168.4.68) from that IP instead of using a host-header (http://www....).

    I would pull down Charles in order to check what exactly is being downloaded. For, example, is it requesting (and finding) your crossdomain file.

    -Scott
  41. neha Says:
    i m doing a server socket connection in flex sdk in netbeans IDE with a java server program and flex as my client program. i make the connection 1st but it shows security error exception in flex environment.what should i do............to solve my problem...........

    can anyone help me..................
  42. Sonali Says:
    Hi
    I am trying to run a Flex app in which data is being accessed from another server over http. Web service hosted on that server is working perfectly fine but my app is not able to get the data(i guess). I came across this blog and made the changes in the crossdomain.xml file as directed (which is present at the roort folder of that server hosting the web service) BUt I am still getting the error "Security Error accessing URL"

    Can ny1 plz help me figure out the problem.

    wat else info do i need to have abt .swf file being loaded. I am not sure if i am making any mistake regaring the path of swf file.

    How can I make sure my crossdomain file is successfully being loaded or not.

    Plz Help

    Thanx in advance
    Sonali
  43. Scott Talsma Says:
    @Sonali: what is the url of the page having problems? I'll pull it up in a reverse proxy to see if your crossdomain is set up correctly.
  44. umar Says:
    I am developing a flex application. I am trying to get xml data from cross domain. Data service is at linux machine. It works fine in development mode. But as I host swf file even on same development machine, it gives channelsecurity.error
    I have placed crossdomain.xml at root of the flex server and it is working ok.
    But still I am getting channelsecurity.error

Leave a Reply





Powered by Mango Blog. Design and Icons by N.Design Studio