Saturday, November 10, 2007

GlassFish and the Flash crossdomain.xml File

Flash 9 applications require the existence of a crossdomain.xml file in the top-level of any domain they access different from the domain hosting the Flash application. Because both OpenLaszlo and Flex have Flash as primary deployment environments, the placement of the crossdomain.xml file is important when developing with either framework.

Flash-powered web applications (whether constructed with Flex or OpenLaszlo) are a nice complement to server-side logic implemented in Java EE. It is not uncommon to have the Flash application hosted on a different machine than the Java EE application server is hosted on and so the crossdomain.xml file is required.

This situation is even more common when a Flash-based application wants to access a different provider's APIs and services (think Yahoo!, Google, etc.). When you are accessing someone else's services from your own Flash-based application, you do not need to worry about the crossdomain.xml file (it is their concern and there is nothing you can do about it anyway if they don't provide it). However, if you want to provide services for others' Flash-based applications to use, then crossdomain.xml creation and placement is required.

When using GlassFish (the Java EE reference implementation), the "top level" directory for placement of the crossdomain.xml file is the "docroot" subdirectory under your GlassFish domain's directory. For example, if you use the default domain of domain1, you'd place the crossdomain.xml file in <<GLASSFISH_INSTALL_DIR>>/domains/domain1/docroot, where <<GLASSFISH_INSTALL_DIR>> is the directory into which you installed GlassFish (such as C:\glassfish). This is described in the java.net GlassFish forum and in the Flex 2 General Discussion forum.

Additional details on using GlassFish with OpenLaszlo can be found on the OpenLaszlo on GlassFish blog and in Harpreet Singh's weblog. For additional details on running Flex-based Flash applications on GlassFish, see Senthil Chidambaram's blog entry. More details regarding the use and contents of the Flash crossdomain.xml file are available in the Flex documentation and in OpenLaszlo documentation.




UPDATE (08/14/2008): Flash Player security has been tightened since Flash Player 9 Update 3 (9.0.115.0). I recommend reading about changes, including changes to the crossdomain.xml file, in the Adobe document Policy File Changes in Flash Player 9. Changes that may impact you include a requirement that the Content-Type values in server response headers be set to any text type (such as text/html) or
application/xml or application/xhtml+xml. Other changes include stricter socket policies and the use of the final URL (rather than the original URL) as the basis for determining the appropriate policy file in the case of a redirection within the same domain.




UPDATE (11/27/2007): I have added some useful links to resources related to the Flash crossdomain.xml file below.

Cross Domain XML
http://www.crossdomainxml.org/

A Site Dedicated to crossdomain.xml at Aral Balkan
http://aralbalkan.com/740

Cross Domain Policy Files
http://moock.org/asdg/technotes/crossDomainPolicyFiles/

The Dangers of a Cross-Domain Ajax with Flash
http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash

Cross-Domain Ajax Insecurity
http://shiflett.org/blog/2006/aug/cross-domain-ajax-insecurity

Cross-Domain Policy File Usage Recommendations for Flash Player
http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html

Don't Forget Your Cross-Domain Policy Files
http://www.5etdemi.com/blog/archives/2005/04/dont-forget-your-cross-domain-policy-files/

No comments: