I'm having an epic amount of difficulty trying to get a result from a httprequest to a https address.
I'm loading a policy file from the address but I'm still getting the 2048 security error.
I load my policy file like so in my preinitilize handler.
private function preint(e:FlexEvent):void
{
Security.loadPolicyFile("https://api.soundcloud.com/crossdomain.xml");
}
My server gives me back a special token I need and then I try to make a request to the resource I need using a urlrequest and urlloader.
private function getprivatetracks():void
{
var url:String=new String("https://api.soundcloud.com/me/tracks?oauth_token=" + testapplicationparameters["oauth_token"])
var req:URLRequest=new URLRequest()
req.contentType="application/x-www-form-urlencoded"
req.method=URLRequestMethod.GET;
req.url=url;
var loader:URLLoader=new URLLoader()
loader.dataFormat=URLLoaderDataFormat.TEXT;
loader.dataFormat="text";
loader.load(req);
configureListeners(loader);
}
If I trace out the url I'm calling and paste it into a browser I can see the result fine. It's purely a flash thing.
When I run the swf in debug mode from the flex IDE the request works fine. The problem only occurs when the swf is on a server.
I've spend the best part of a day banging my head trying to figure this out.
Could somebody suggest what I might be doing wrong?
I'm guessing I'm lacking some fundamental knowledge about how flash deals with https.
EDIT 1
Error: Request for resource at https://api.soundcloud.com/me/tracks?oauth_token=0000000NBfKiNXEYG00FWTUGAy5Uw68r by requestor from http://myserver/content/flash/soundcloud/sclive.swf is denied due to lack of policy file permissions.
*** Security Sandbox Violation ***
Connection to https://api.soundcloud.com/me/tracks?oauth_token=0000000NBfKiNXEYG00FWTUGAy5Uw68r halted - not permitted from http://myserver/content/flash/soundcloud/sclive.swf
Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: http://myserver/content/flash/soundcloud/sclive.swf cannot load data from https://api.soundcloud.com/me/tracks?oauth_token=0000000NBfKiNXEYG00FWTUGAy5Uw68r.
at sclive/getprivatetracks()[C:\flex_projects\sclive\src\sclive.mxml:74]
at sclive/authorize_result_handler()[C:\flex_projects\sclive\src\sclive.mxml:62]
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at HTTPOperation/http://www.adobe.com/2006/flex/mx/internal::dispatchRpcEvent()[C:\autobuild\3.5.0\frameworks\projects\rpc\src\mx\rpc\http\HTTPService.as:763]
at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::resultHandler()[C:\autobuild\3.5.0\frameworks\projects\rpc\src\mx\rpc\AbstractInvoker.as:263]
at mx.rpc::Responder/result()[C:\autobuild\3.5.0\frameworks\projects\rpc\src\mx\rpc\Responder.as:46]
at mx.rpc::AsyncRequest/acknowledge()[C:\autobuild\3.5.0\frameworks\projects\rpc\src\mx\rpc\AsyncRequest.as:74]
at DirectHTTPMessageResponder/completeHandler()[C:\autobuild\3.5.0\frameworks\projects\rpc\src\mx\messaging\channels\DirectHTTPChannel.as:409]
at flash.events::EventDispatcher/dispatchEventFunction()
at flash.events::EventDispatcher/dispatchEvent()
at flash.net::URLLoader/onComplete()
EDIT 2
I've tried catching the security error event and checking the url to make sure theres no redirects going on but the handler never gets called! I always get the unhanled exception error even though I've written a handler for it.
It is not advisable to permit HTTP content to access HTTPS content for security reasons.
So, if soundcloud wants to allow HTTP content to access its data, they should specify it in their crossdomain.xml (using the attribute secure="false" in the allow-access-from tag).
However, I've just noticed there is also a crossdomain on http :
http://api.soundcloud.com/crossdomain.xml
So I suggest you to use this URL instead of the HTTPS and it shloud work
Related
I am using reCaptch in my MVC 3 web app running in the localhost.
Things were working fine few weeks back but suddenly failing.
Suddenly getting this error.
if(!ReCaptcha.Validate(_config.RecaptchaPrivateKey)){ <-- times out here
//process other fields in the form
}
As soon as I fill the form and hot submit I get this error :
The operation has timed out
Description : An unhandled exception occurred during the execution of the current ...
Exception Details : System.Net.WebException: The operation has timed out
Is this a proxy issue?
Is this because my site on localhost runs on port 3316?
localhost:3316/user/signup
I saw some posts that suggests that reCAPTCHA expects port 80 but my app runs on port 3316
What can be the issue?
Thanks
I got around this by creating proxy class that inherits IWebProxy.
Then specifying to use this proxy when internal, I had to transform it out for other environments that didn't need to use it.
See this question and accepted answer:
Is it possible to specify proxy credentials in your web.config?
The above link took some finding, so I favourited it for future use.
I am writing some code for windows 8 that uses open data provided by the city of Vancouver. When I use the WinJS.xhr call on the data url:
ftp://webftp.vancouver.ca/opendata/csv/weekendplayfieldstatus.csv
I get the exception:
0x80070005 - JavaScript runtime error: Access is denied.
Here is the function call:
var url = ftp://webftp.vancouver.ca/opendata/csv/weekendplayfieldstatus.csv;
return WinJS.xhr({ url: url });
However, the very same call works for pretty much every other website I have tried. But, the rest have all been http and not ftp.
IE's XMLHttpRequest object (which WinJS.xhr uses) doesn't support ftp protocol so that's why you get an error.
Try using BackgroundDownloader class which supports ftp downloads.
The XHR acronym stands for "XML HTTP Request". The protocol it supports is in the name.
I'm running a WCF client locally that always throws a MessageSecurityException with the text:
"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
The Inner Exception Message Is:
"An error occurred when verifying security for the message"
I set up a trace and in that file I can see the "inner inner" exception message as:
"The 'Body', 'http://www.w3.org/2003/05/soap-envelope' required message part was not signed. "
The bindings all match perfectly between the client and the service with them all using netTcpBinding with the securityMode="Message".
The ServiceContract decorating the interface behind the service is:
[ServiceContract(ProtectionLevel = ProtectionLevel.None)]
What could be causing my errors? I'm no WCF expert so I if you need anymore information just comment. Any ideas on what to try would be helpful too, I just have no idea whats going on here.
By default, all messages are signed and encrypted in WCF, and why on earth would you ever want to turn that off??
So in this case, most likely, your client has encrypted and signed the message, but the server doesn't understand it because of your attribute on the service contract.
My recommendation: unless you have a very compelling reason, never tamper and change those settings - just forget about that attribute on your service and leave the defaults:
[ServiceContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
or
[ServiceContract]
If you really have to turn it off, you need to turn it off on both sides of the conversation - both the client and the server must agree on whether or not messages are encrypted and signed.
Marc
I get a really strange security error when trying to load data from one URL to another. Essentially my facebook canvas URL points to http://www.tonyamoyal.com/stuff/path/ and that has an fb:swf tag which points to http://www.tonyamoyal.com/stuff/path/Quiz.swf. The facebook app loads fine but when I try to call a service that resides on another URL, I get a security error:
http://www.tonyamoyal.com/stuff/path/Quiz.swf cannot load data from http://www.somedomain.com/path/path/service.aspx
The cross-domain on tonyamoyal.com is set up to allow all domains to pass. The cross-domain on somedomain.com has a line specifically allowing calls from www.tonyamoyal.com:
<allow-access-from domain="www.tonyamoyal.com" />
Any idea why there would be a security issue here?
At application startup try to load the policy file by doing:
Security.loadPolicyFile("http://www.somedomain.com/crossdomain.xml");
So I've got a bit of an issue I'm trying to work through. Perhaps some Flex guru could assist?
I have a WebService instance that attempts to load a WSDL file from our JBoss Application Server. If I do something like this:
webService = new WebService();
webService.destination = WebService.DEFAULT_DESTINATION_HTTP;
webService.wsdl = "http://<removed>/services/ApiService?wsdl";
webService.loadWSDL();
everything works fine. The WSDL is loaded successfully and the application can invoke methods against the web service.
The issue is when I need to add some HTTP authentication to the mix:
webService.setCredentials(userName, password);
this line ends up throwing an error stating that credentials are only supported on HTTPS. Ok fair enough, I want to use secure HTTPS anyway!
So then I tried to change it up to this...
webService = new WebService();
webService.destination = WebService.DEFAULT_DESTINATION_HTTPS;
webService.wsdl = "https://<removed>/services/ApiService?wsdl";
webService.setCredentials(userName, password);
webService.loadWSDL();
and now the WebService instance cannot load the WSDL. The error received is:
[FaultEvent fault=[RPC Fault faultString="HTTP request error" faultCode="Server.Error.Request" faultDetail="Unable to load WSDL. If currently online, please verify the URI and/or format of the WSDL (https://<removed>/services/ApiService?wsdl)"] messageId="6905CC5B-5317-C4B3-2D12-84647EE648A7" type="fault" bubbles=false cancelable=true eventPhase=2]
I can reach this URI in the browser just fine and it returns the WSDL as expected.
I am not a Flex guy (learning) but instead a Java developer. I am trying out Flex as a potential client to our system but this has caused me all kinds of grief today. Google doesn't appear to have any quick answers for me and I am a bit stumped.
First question on StackOverflow so hopefully this gets a bite somewhere and helps some other poor Java dev staying late in the office on a Friday night :-)
This seems to be related to your question. We are planning to use https in the future, so I'm curious to know the solution of your problem.