Flash Socket Policy Service

Introduction

Adobe Flash Player can communicate with a remote server via a network socket, but only if it is granted permission to do so. The remote server grants or denies permission by serving up an XML socket policy document by way of a socket policy service. The socket policy document specifies which hostnames are permitted to connect to which ports on the server. If the rules set forth in the socket policy document permit it to do so, Flash Player will proceed in making the connection.

Enabling the Flash Socket Policy Service

flashpolicyserver.js

The Flash socket policy service script resides at exec/flashpolicyserver.js. If you do not have this file, you may obtain it from the Synchronet CVS repository.

services.ini

To enable the socket policy service on startup of your BBS, add the following entry to the services.ini file in your ctrl directory:

[FlashPolicy]
Port=843
MaxClients=10
Options=0
Command=flashpolicyserver.js

flashpolicy.xml

The socket policy document issued by the socket policy server resides at ctrl/flashpolicy.xml. If you do not have this file you may obtain it from the Synchronet CVS repository.

By default, the socket policy document is configured to grant access to port 23 of your BBS server to all domains. This is specified in the following line in flashpolicy.xml:

<allow-access-from domain=“*” to-ports=“23” secure=“false” />

The to-ports field of the above element can be a comma-delimited list of ports that you wish to grant access to for the specified domains (*, or all domains by default.) If for example you'd like to host a Flash IRC client on your BBS website, you can modify the above line to read:

<allow-access-from domain=“*” to-ports=“23,6667” secure=“false” />

Now Flash clients from all domains are permitted access to ports 23 and 6667.

Another option is to simply add a second <allow-access-from /> tag beneath the existing one, granting access to the additional port:

<allow-access-from domain=“*” to-ports=“6667” secure=“false” />

However since in the above example access is being granted to all domains in both cases, only one tag is necessary, so it is more efficient to use the former method. Using separate <allow-access-from /> tags is only necessary when you desire more granular control over which domains have access to which services.

The domain field of the <allow-access-from /> tag is used to specify which servers are permitted to host Flash applications that connect to your services. The default * value means that anybody anywhere could host a Flash application that connects to your BBS. If you object to the possibility of somebody integrating access to services on your BBS via a Flash application on their website, modify this field accordingly.

Firewall Considerations

Flash socket policy servers typically listen on TCP port 843. If for some reason you wish to use another port, you may modify the Port key-value pair of the [FlashPolicy] section of your services.ini file. If you do so, you will also need to tell your Flash application to look for the socket policy server on the alternate port that you have chosen. The method by which this is accomplished will vary from one Flash application to another.

Ensure that port 843 (or whichever port you have opted to run this service on) is open in your firewall and is forwarded to your BBS server.

See Also

service/flashpolicyservice.txt · Last modified: 2011/03/13 22:15 by echicken
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0