Cross Domain Policy file goodness!

What can I say? I am a little proud. Today I put out a long burning old flame. And no, I am not talking about ex-girlfriends. I am talking about security problems in regards to cross domain policy files, SWF security policies and hocus pocus mumbo jumbo.

Here was my scenario. Let's go back in time for 3 months and pretend its August...when I built our initial FLEX 4 application. I would mannually deploy the app to a web server. Let's say it was located at 172.0.0.1. We were really happy with how that worked, we can hit the server via a browser, login and get down to business. Everything was gravy. Too easy, mate! Or not?

Then we decided that using an IP address to access our web portal was not ideal. Sales guys no likey. So we decided we do not want to demo the application to customers using an IP address. It seemed a little un-professional. So we came up with a domain to use, like so: "http://portal.mycompany.com/".

We were hoping we were done at this stage and we could all go on some big tropical vacation, reaping the benefits of FLEX 4. We were wrong. Oh so wrong.

Using the new domain name, we could hit "portal.mycompany.com" SWF and get to the login page just fine. But when we try to actually login and authenticate, the application would just hang.

This was so frustrating as I was brand new to FLEX at the time. We logged it in our bug tracking system but have sat on it for a while. 3-4 months, respectively.

Fast forward 3 months. I have a little extra time on my hands now that I have some help sitting directly next to me. I revisited this "bug" yesterday and determined it wasn't really a hosting/re-directing issue with our hosting provider, although my original assumption was that it was. I had been reading up on FLEX previously and had read much about "cross domain policy" files, regarding domain security. I will eventually need to make use of this when we decide to convert to HTTPS and SSL, to secure our protocol. So in essence, I had already done some of my homework for this.

My co-worker pointed out that the "Flash Builder 4 and Flex 4 Bible" book has a section in "Chapter 23: Working with HTTPService and XML - page 746" that overviews Cross Domain policy issues. I have already read plenty on the subject on the web but could never figure out how to put this cross domain XML policy file into my application, or even create it. There is very little about that. There is much explanation on domain scenarios and the different quirks you may run into. But there is no good documentation anywhere on how to actually setup a cross domain policy file for your application. Or even in your application?

The book covers in great detail how to use the file, but doesnt really tell you how to create it. I noticed at the end of the chapter there tiny little note that says you should visit this link to read more on how to use this thing.

From what I gathered there, you need to generate the XML file manually.

It is important to point out that the crossdomain.xml file does not get added to your FLEX project at all. Instead, you place the XML file in the "root" of your web server directory, which for me was, C:\inetpub\wwwroot.

Originally I had tried to place the crossdomain.xml file in my publish folder, where my application and SWF file resides. This did not work!! It is ultra important that the XML file be placed correctly in the server root folder. Once I placed it there, everything worked fine and our long standing bug was marked resolved!!

Time to go eat some sushi at Whole Foods...Cheers!