Thursday, June 10, 2010

Flash Security Error #2170: Security sandbox violation

In one of my recent Flex projects with Cisco, the flex app has to connect to salesforce to utilize Web service APIs. From the Development Environment, that is, from the Flex Builder there is no problem in connecting to Salesforce either over http or https. However, once the Flex app is published to one of the Cisco's IIS or Tomcat Server, the Flex app could not connect to Salesforce complaining Security sandbox violation (not the Salesforce sandbox, but the Flash player sandbox).

Whenever there is a security violation, the first thing that comes to mind is the crossdomain.xml that should be properly configured and set-up at the salesforce end.
Salesforce had the crossdomain.xml in both their http and https servers.

This is the content of the crossdomain.xml file in
- < cross-domain- policy>
< allow-access- from domain="*" secure="true" />
< allow-http- request-headers- from domain="*" headers="*" secure="true" />
< /cross-domain- policy>

I tried my swf accessed from both http and https. I still get the same error. Error #2170: Security sandbox violation

I gave permission for the swf file to allow access to Salesforce URL in swf settings > Global security settings panel. I still get the same error. Error #2170: Security sandbox violation

Thanks to one of the coders in the flex forum, he alerted me of the new security feature that got introduced in Flash Player 10. The above solution would have worked great in Flash player 9, bcos in version 9, the flash player would automatically look at the root crossdomain.xml in If it is not there, it would look at the next crossdomain.xml in /root/at this folder1/crossdomain.xml

But in Flash player 10, we have to load crossdomain file explicitly in the Flex code. Read here for more info: security_03.html

I have added the following code in my flex app.

private function setupSecurity():void {

Did it work? No! Why? I have deployed the Flex app on the Cisco's IIS server which is a http server. So the Flex app failed to connect saying the same error because I was trying to connect to http IIS server to the https Salesforce server. Conflict of Interest! Either http to http connection is possible. Or https over https is possible. So before installing the https server in Cisco's IIS server, I tried http over http (beware: this would send the password in clear text. You could see the password in firbug in clear text). This is just a test to find out if it would work. Yes! it worked. Now Cisco has to buy a SSL certificate. I did a research to find it costs $1500 for a year!

Please check this URL to buy the certificate :;jsessionid=4DF6BC5DE74707E0E5B69747B6131232?uid=e1494c681c05e7c3229fd5030d7f1fc0&product=GHA002

Before making this purchase, I need to prove if the https to https works as well. Microsoft is handy for this. They have a free self sign certificate to be installed in the IIS server. Check this URL :

I had to install this self signed SSL on my laptop first. I had IIS Server running on my laptop. After I installed this, https flex app over https salesforce worked!!

When I installed the same solution in Cisco's IIS server, it worked great!!

Here's a screen shot of this flex app which connected to salesforce and retrieved the data to show the relationship in Yworks.

No comments: