Flash requires a crossdomain.xml file when connecting to a foreign server. For example, let's say the flash app is served from www.example.com and the application wants to make a network connection to xmpp.example.com to do XMPP operations. That connection won't be allowed unless a crossdomain.xml file on xmpp.example.com says that it's permitted. With no intervention from the developer, Flash will attempt to find the crossdomain.xml file using an HTTP request to port 80 of xmpp.example.com in this example. However, starting with Flash 7, it's possible to make an XML socket request to find the crossdomain.xml file:
That will cause Flash to send the following request to port 5222:
(note, need to verify actual syntax using a Flash connection).
We should specially intercept that XML request and return crossdomain.xml contents instead of standard XMPP. It may seem a bit awkward to implement the feature this way, but it makes network settings much easier since port 5222 must already be open by the firewall. We don't want to require that users have an HTTP server on the same domain as their XMPP server, which is the motivation for this feature.
When we get a request, we should return the following:
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="*" to-ports="5222,5223" />
That allows connections from any host over ports 5222 and 5223.
where do i have to keep the crossdomain policy file in the http server or in the xmlsocketserver if xmlsocketserver means where in the xmlsocketserver...
I think the policy file should be served up from a separate, configurable port rather then hacking 5222 or 5223 to serve it up.
And, it should be configurable in the admin console what domains, and also what services should flash have access to.
Added initial support without port configuration. Still will need to add port configuration via system properties.
crossdomain.xml is now filled in with the port number from the server; It seems to me that the secure port isn't needed, since flash doesn't currently support it, so I'm just having it fill in the non-secure one.