Enabling cross-domain access of IBM Business Monitor data by Flash applications

This article shows you how you can overcome security issues involved with accessing and displaying IBM® Business Monitor data using a customized visualization application, such as a proprietary Adobe® Flash®-based web application, using Business Monitor REST APIs.


Jiang Lu (lujjiang@cn.ibm.com), Software Engineer, IBM

Jiang Lu photoJiang Lu is a software engineer for the IBM Business Monitor and Business Space System Verification Test team at the IBM Development Lab in China. Previously, Jiang worked on the development of the IBM Business Monitor product.

Ben Ji Jia (jiajicdl@cn.ibm.com), Staff Software Engineer, IBM

Ben Ji Jia photoDr. Ben Ji Jia is a software engineer on the IBM BPM SVT team at the IBM Development Lab in China. His primary interests are in BPM, intelligent cloud computing, SOC and 3D model search.

04 October 2011


Adobe® Flex is a popular open-source development tool for Flash®. It can be used to build expressive Web applications. As a front-end development tool, Flex can handle data collection for a variety of data types, including maps, tables and more. Many enterprise-level applications tend to place emphasis on powerful back-end processing to the detriment of data visualization. IBM Business Monitor provides a powerful set of Business Space widgets for data visualization, as well as a series of REST APIs to enable you to easily customize data visualization. However, Flash security can create problems when accessing monitoring data created in Business Monitor. In this article, we'll show you how to solve the cross-domain accessing problem.

When a Flash SWF file located in the www.ibm.com domain needs to access files that are located in another domain, for example, www.163.com, SWF first checks whether there is a crossdomain.xml file in the www.163.com server content root. If there is no such crossdomain.xml file, access is denied. If the crossdomain.xml file is located under in the www.163.com server content root, and the www.ibm.com domain is set to allow accessing in crossdomain.xml, communication will be allowed as normal. The crossdomain.xml file is an important element in enabling across-domain access and data transport.

In this article, we will address a solution to resolve this cross-domain accessing problem when using a Flash application to access the data of IBM Business Monitor. The implementation of Flash application is not included in this article.

First, let's look at the format of crossdomain.xml, which contains the following:

  • A <cross-domain-policy> node includes one or more <allow-access-from> nodes and has a domain attribute. The value of the domain attribute specifies accessible domains, which can be an IP address, a domain or a wildcard (any domain).
  • A <site-control> node defines the current domain's meta-policy. The meta-policy determines which policy files besides the master policy file can be accepted by client. If the policy file is not a master policy file, the site-control node can be ignored. The site-control node has a value called permitted-cross-domain-policies, which has five options:
    • none: no policy file can be accepted, including the master policy file.
    • master-only: only the master policy file can be accepted.
    • by-content-type: (HTTP/HTTPS only) Only policy files served with Content-Type: text/x-cross-domain-policy are allowed.
    • by-ftp-filename: only a URL ending with a file name can be accepted.
    • all: all policy files can be accepted.

Using cross-domain policy files, the crossdomain.xml file can be customized by the security controller or system administrator, in order to restrict what resources can be downloaded from which sites.

Overview of the Flash security issue and the proposed solution

When a SWF file downloads data from a server, it does so with certain credentials from the user, which may include cookies, password, private network access, and so on. This is why, by default, a SWF file can download data only from servers in its own domain. (See Adobe Flash Player Security for more information.)

If a server wishes to permit SWF files from other domains to access data from that server (using any user credentials that the server may have provided), the administrator can create policy files specifying such permissions. This is always safe for data that is freely available on the public internet, but may be risky for data that requires user authentication.

The default for network sandboxes is to restrict read permissions to data sources from the origin domain of the SWF file. The system administrator of a domain that hosts resources used by Flash applications can designate what resources can be downloaded from their site using cross-domain policy files.

The crossdomain.xml file resides on the server side, under the domain that the SWF wants to cross access. While SWF accesses a web service, it can access local files normally. However, the access will be denied if the web service is deployed to a cross web container.

The reason cross-domain access is denied is that the service provider partner does not provide a security policy configuration file called crossdomain.xml. Another way to resolve this issue is to use a proxy; we will not discuss that approach in this article.

There are several approaches for where to locate the crosssdomain.xml file:

  • Put it under the web content root, and the user can access it using a URL; for example: http://localhost:8080/crossdomain.xml.
  • Put it under a web application, and the user can initialize it in a Flash application; for example: Security.loadPolicyFile("http://localhost:8080/aaa/crossdomain.xml"), where aaa is the name of web application.

Using the second approach, when the Flash application wants to access the deployed web services, the Flash player will first access crossdomain.xml, and check whether the security policy for the Flash application's domain is set to allow accessing. If it is, the Flahs application will be able to access the web service data.

Adobe strongly recommends against using a crossdomain.xml that allows all resource accessing, as shown in Listing 1.

Listing 1. crossdomain.xml providing access to all resources
<?xml version="1.0"?> 
<!DOCTYPE cross-domain-policy SYSTEM 
    <site-control permitted-cross-domain-policies="all"/>
    <allow-access-from domain="*" secure="false"/> 
    <allow-http-request-headers-from domain="*" headers="*" secure="false"/>

In this article, our purpose is to describe a solution for a Flash application to access the data from IBM Business Monitor, so we will use a sample crossdomain.xml that allows all resource accessing. However, in real-world cases, we recommend you use a stricter crossdomain.xml to avoid security issues.

Implementing the cross-domain access solution

According to the Flash security policy, in order to achieve cross-domain access, you need a crossdomain.xml in the root folder of the web server. It is simple to get to the root folder of your own web server, but the Business Monitor server is based on WebSphere Application Server and you will need find the root content of that.

An application called defaultapplication is installed by default in the root folder of WebSphere Application Server when you create Monitor profiles.

  1. First, put crossdomain.xml in [WAS_Home]\profiles\[Monitor_Profile]\installedApps\[Cell_Name]\DefaultApplication.ear\DefaultWebApplication.war\crossdomain.xml.
  2. Enable the file servicing of the default application in order to access crossdomain.xml by opening: [WAS_Home]\profiles\[Monitor_Profile]\config\cells\[Cell_Name]\ applications\DefaultApplication.ear\deployments\DefaultApplication\DefaultWebApplication.war\WEB-INF\ibm-web-ext.xmi.
  3. Change fileServingEnabled to true, for example:
    xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI"
    xmi:id="WebApp_ID_Ext" reloadInterval="3" reloadingEnabled="true" 
    serveServletsByClassnameEnabled="true" preCompileJSPs="false"
    autoRequestEncoding="false" autoResponseEncoding="false">
  4. By default, a general user cannot access any file through the default application's content root because the file servicing feature is disabled by WebSphere Application Server. Only the server administrator can manually enable this feature. In our solution, you need to access crossdomain.xml, which is located under the default application. We do not address the security issues of this solution.
  5. Next, deploy the web application which contains the embedded Flash into your web server. Here we assume you deploy it on another WebSphere Application Server. If you are not using portal in the WebSphere Application Server, you must install a REST proxy application manually.
  6. You should find the REST proxy application in the IBM Monitor Server installable folder at: <WAS_ROOT>\installableApps.wbm\WBMDashboardRESTProxy.ear. Copy it from IBM Monitor Server to your Application Server.
  7. After installing the proxy application to the Application Server, add two properties as follows:
    1. On the Application Server administrative console, select Servers => Application servers => <server name>
    2. In the Container Settings dialog, click Server Infrastructure => Java and Process Management => Process Definition.
    3. In the Additional Properties dialog, click Java Virtual Machine, then click Custom Properties, and add the following two properties:
      • Name = type="inline">DashboardRESTServiceTarget
        Value = IBM Monitor Server IP address:WC_defaulthost port
      • Name = DashboardRESTServiceSecureTarget
        Value = IBM Monitor Server IP address:WC_defaulthost_secure port
  8. Finally, restart WebSphere Application Server to effect the changes, and then invoke your web applications to access the IBM Monitor data.


Business Space can display Business Monitor widgets, including KPIs, instances, reports, and so on. After some widget configuration, Business Space invokes the Business Monitor REST service to obtain required data and render it in the widgets.

Figure 1 shows an example of some Business Monitor KPI widgets.

Figure 1. Business Monitor KPI widgets
Business Monitor KPI widgets

A Flash application is another way to exhibit business data. Some of the widgets packaged in IBM products are implemented by Flash. These widgets and web services normally reside in same domain by default so that it is rare to encounter the cross-domain security problem.

In this article, we introduced a solution if users want to use a customized Flash application to access data from a cross-domain Monitor server.

Figure 2 shows the same KPIs in a Flash demo implemented by Flex. This can be integrated into your own web server. It invokes a REST service to the Business Monitor Server and displays data using Flash.

Figure 2. Flash application accessing Business Monitor data
Flash application accessing Business Monitor data


IBM Business Monitor widgets depend on the Business Space framework and can be difficult to port to another portal that doesn't support widgets. We recommend clients use Business Space because it is embedded in IBM Business Monitor and is easy to access, easy to configure, and easy to use. However, in this article we focused on a scenario where users need to use customized visualization, such as a proprietary Flash-based web application, to access and display Business Monitor data. In this case, the customized web application needs to access Business Monitor data using a REST service, but may not access it locally. The solution we described can be used to solve the Flash security issue encountered in such a cross-domain access scenario.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Business process management on developerWorks

Zone=Business process management, WebSphere
ArticleTitle=Enabling cross-domain access of IBM Business Monitor data by Flash applications