Wednesday, December 03, 2008

Implement Flash socket policy file server

Recently I had to implement a Flash socket policy file server. Here are a few things I discovered while creating the server.

Why socket policy file server?

Since Flash player 9 you can no longer use the HTTP based crossdomain.xml file to specify cross-domain policy for socket based server as part of the on-going security enhancement from Adobe. Therefore a specialized socket file server (default on 843 for master policy) needs to be created to return the policy file(s) for the socket based client. See Policy file changes in Flash Player 9 and Flash Player 10 for more details.

Whats the expectatoin?

The basic idea behind this file server is fairly simple. The server will wait for the policy file request from the Flash player sent directly by the Flash player. The policy request is just a string of followed by a NULL byte (00), upon receiving the request the server will return the content of the policy file.

Whats the catch?

1. String chararacter set

In Adobe's document there was no mentioning of the encoding charset for the returning string, and based on my experiment I found the Flash player did not like the UTF-8 encoding in Java. Probably because Java DataOutputStream uses a modified UTF-8 encoding. At the end I found that ISO-8859-1 worked out pretty well with the Flash player, and since your policy file should not contain any unicode character anyway I think this is a pretty good approach.

2. Write timing

One interesting thing I found is although Adobe mentioned in their documentation the request handling should be in the following sequence:
  • Receive request
  • Verify request
  • Write policy content
  • Close socket
I found the Flash player is happy even if you just simply write policy content as soon as the socket is accepted. Although if you are writing your own file server you probably should stick with Adobe's spec not only because it makes sense but also because the undocumented Flash player behavior might change without notice in the future release.

3. Close your socket

In Adobe's documentation it mentioned that the Flash player will close the socket as soon as it received the policy file, but based on my experiment it seems that Flash player performs less consistent if the server does not close the socket right after the content is written.

Hope this information will help you save some time while implementing your own policy file server.

More reference:

No comments: