Introduction

Adobe® Flex is a popular open-source development tool for Flash®. It can be used to build expressive Web applications. As a front-end development tool, Flex can handle data collection for a variety of data types, including maps, tables and more. Many enterprise-level applications tend to place emphasis on powerful back-end processing to the detriment of data visualization. IBM Business Monitor provides a powerful set of Business Space widgets for data visualization, as well as a series of REST APIs to enable you to easily customize data visualization. However, Flash security can create problems when accessing monitoring data created in Business Monitor. In this article, we'll show you how to solve the cross-domain accessing problem.

When a Flash SWF file located in the www.ibm.com domain needs to access files that are located in another domain, for example, www.163.com, SWF first checks whether there is a crossdomain.xml file in the www.163.com server content root. If there is no such crossdomain.xml file, access is denied. If the crossdomain.xml file is located under in the www.163.com server content root, and the www.ibm.com domain is set to allow accessing in crossdomain.xml, communication will be allowed as normal. The crossdomain.xml file is an important element in enabling across-domain access and data transport.

In this article, we will address a solution to resolve this cross-domain accessing problem when using a Flash application to access the data of IBM Business Monitor. The implementation of Flash application is not included in this article.

First, let's look at the format of crossdomain.xml, which contains the following:

• A <cross-domain-policy> node includes one or more <allow-access-from> nodes and has a domain attribute. The value of the domain attribute specifies accessible domains, which can be an IP address, a domain or a wildcard (any domain).
• A <site-control> node defines the current domain's meta-policy. The meta-policy determines which policy files besides the master policy file can be accepted by client. If the policy file is not a master policy file, the site-control node can be ignored. The site-control node has a value called permitted-cross-domain-policies, which has five options:
  • none: no policy file can be accepted, including the master policy file.
  • master-only: only the master policy file can be accepted.
  • by-content-type: (HTTP/HTTPS only) Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.
  • by-ftp-filename: only a URL ending with a file name can be accepted.
  • all: all policy files can be accepted.

Using cross-domain policy files, the crossdomain.xml file can be customized by the security controller or system administrator, in order to restrict what resources can be downloaded from which sites.

Back to top

Overview of the Flash security issue and the proposed solution

When a SWF file downloads data from a server, it does so with certain credentials from the user, which may include cookies, password, private network access, and so on. This is why, by default, a SWF file can download data only from servers in its own domain. (See Adobe Flash Player Security for more information.)

If a server wishes to permit SWF files from other domains to access data from that server (using any user credentials that the server may have provided), the administrator can create policy files specifying such permissions. This is always safe for data that is freely available on the public internet, but may be risky for data that requires user authentication.

The default for network sandboxes is to restrict read permissions to data sources from the origin domain of the SWF file. The system administrator of a domain that hosts resources used by Flash applications can designate what resources can be downloaded from their site using cross-domain policy files.

The crossdomain.xml file resides on the server side, under the domain that the SWF wants to cross access. While SWF accesses a web service, it can access local files normally. However, the access will be denied if the web service is deployed to a cross web container.

The reason cross-domain access is denied is that the service provider partner does not provide a security policy configuration file called crossdomain.xml. Another way to resolve this issue is to use a proxy; we will not discuss that approach in this article.

There are several approaches for where to locate the crosssdomain.xml file:

• Put it under the web content root, and the user can access it using a URL; for example: http://localhost:8080/crossdomain.xml.
• Put it under a web application, and the user can initialize it in a Flash application; for example: Security.loadPolicyFile("http://localhost:8080/aaa/crossdomain.xml"), where aaa is the name of web application.

Using the second approach, when the Flash application wants to access the deployed web services, the Flash player will first access crossdomain.xml, and check whether the security policy for the Flash application's domain is set to allow accessing. If it is, the Flahs application will be able to access the web service data.

Adobe strongly recommends against using a crossdomain.xml that allows all resource accessing, as shown in Listing 1.

<?xml version="1.0"?> 
<!DOCTYPE cross-domain-policy SYSTEM 
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all"/>
    <allow-access-from domain="*" secure="false"/> 
    <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>
            

In this article, our purpose is to describe a solution for a Flash application to access the data from IBM Business Monitor, so we will use a sample crossdomain.xml that allows all resource accessing. However, in real-world cases, we recommend you use a stricter crossdomain.xml to avoid security issues.

Back to top

Implementing the cross-domain access solution

According to the Flash security policy, in order to achieve cross-domain access, you need a crossdomain.xml in the root folder of the web server. It is simple to get to the root folder of your own web server, but the Business Monitor server is based on WebSphere Application Server and you will need find the root content of that.

An application called defaultapplication is installed by default in the root folder of WebSphere Application Server when you create Monitor profiles.

1. First, put crossdomain.xml in [WAS_Home]\profiles\[Monitor_Profile]\installedApps\[Cell_Name]\DefaultApplication.ear\DefaultWebApplication.war\crossdomain.xml.
2. Enable the file servicing of the default application in order to access crossdomain.xml by opening: [WAS_Home]\profiles\[Monitor_Profile]\config\cells\[Cell_Name]\ applications\DefaultApplication.ear\deployments\DefaultApplication\DefaultWebApplication.war\WEB-INF\ibm-web-ext.xmi.
3. Change fileServingEnabled to true, for example:

   <com.ibm.ejs.models.base.extensions.webappext:WebAppExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.ejs.models.base.extensions.webappext="webappext.xmi" xmi:id="WebApp_ID_Ext" reloadInterval="3" reloadingEnabled="true" fileServingEnabled="true" directoryBrowsingEnabled="false" serveServletsByClassnameEnabled="true" preCompileJSPs="false" autoRequestEncoding="false" autoResponseEncoding="false">

   
   
4. By default, a general user cannot access any file through the default application's content root because the file servicing feature is disabled by WebSphere Application Server. Only the server administrator can manually enable this feature. In our solution, you need to access crossdomain.xml, which is located under the default application. We do not address the security issues of this solution.
5. Next, deploy the web application which contains the embedded Flash into your web server. Here we assume you deploy it on another WebSphere Application Server. If you are not using portal in the WebSphere Application Server, you must install a REST proxy application manually.
6. You should find the REST proxy application in the IBM Monitor Server installable folder at: <WAS_ROOT>\installableApps.wbm\WBMDashboardRESTProxy.ear. Copy it from IBM Monitor Server to your Application Server.
7. After installing the proxy application to the Application Server, add two properties as follows:
   1. On the Application Server administrative console, select Servers => Application servers => <server name>
   2. In the Container Settings dialog, click Server Infrastructure => Java and Process Management => Process Definition.
   3. In the Additional Properties dialog, click Java Virtual Machine, then click Custom Properties, and add the following two properties:
      • Name = type="inline">DashboardRESTServiceTarget
        Value = IBM Monitor Server IP address:WC_defaulthost port
      • Name = DashboardRESTServiceSecureTarget
        Value = IBM Monitor Server IP address:WC_defaulthost_secure port
8. Finally, restart WebSphere Application Server to effect the changes, and then invoke your web applications to access the IBM Monitor data.

Back to top

Samples

Business Space can display Business Monitor widgets, including KPIs, instances, reports, and so on. After some widget configuration, Business Space invokes the Business Monitor REST service to obtain required data and render it in the widgets.

Figure 1 shows an example of some Business Monitor KPI widgets.

A Flash application is another way to exhibit business data. Some of the widgets packaged in IBM products are implemented by Flash. These widgets and web services normally reside in same domain by default so that it is rare to encounter the cross-domain security problem.

In this article, we introduced a solution if users want to use a customized Flash application to access data from a cross-domain Monitor server.

Figure 2 shows the same KPIs in a Flash demo implemented by Flex. This can be integrated into your own web server. It invokes a REST service to the Business Monitor Server and displays data using Flash.

Back to top

Conclusion

IBM Business Monitor widgets depend on the Business Space framework and can be difficult to port to another portal that doesn't support widgets. We recommend clients use Business Space because it is embedded in IBM Business Monitor and is easy to access, easy to configure, and easy to use. However, in this article we focused on a scenario where users need to use customized visualization, such as a proprietary Flash-based web application, to access and display Business Monitor data. In this case, the customized web application needs to access Business Monitor data using a REST service, but may not access it locally. The solution we described can be used to solve the Flash security issue encountered in such a cross-domain access scenario.

Resources

• Adobe Flash Player 9 Security
  
  
• IBM Business Monitor Information Center
  
  
• developerWorks BPM zone: Get the latest technical resources on IBM BPM solutions, including downloads, demos, articles, tutorials, events, webcasts, and more.
  
  
• IBM BPM Journal: Get the latest articles and columns on BPM solutions in this quarterly journal, also available in both Kindle and PDF versions.
  
  

About the authors

Jiang Lu is a software engineer for the IBM Business Monitor and Business Space System Verification Test team at the IBM Development Lab in China. Previously, Jiang worked on the development of the IBM Business Monitor product.

Dr. Ben Ji Jia is a software engineer on the IBM BPM SVT team at the IBM Development Lab in China. His primary interests are in BPM, intelligent cloud computing, SOC and 3D model search.

Rate this article

Comments

Back to top

Table of contents

• Introduction
• Overview of the Flash security issue and the proposed solution
• Implementing the cross-domain access solution
• Samples
• Conclusion
• Resources
• About the authors
• Comments

Local resources

• IBM Innovation Center - Austin, TX
• IBM Innovation Center - Chicago, IL
• IBM Innovation Center - Dallas, TX
• IBM Innovation Center - San Mateo, CA
• IBM Innovation Center - Waltham, MA
• Technical Briefings in North America

Dig deeper into WebSphere on developerWorks

Try IBM PureSystems. No charge.

Experience today!

---

Get started with the cloud-based trial and pattern development kit.

Special offers