+ Start a Discussion
Chirag MehtaChirag Mehta 

Flex - Salesforce : Error #2048: Security sandbox violation

I am working on aVisualforce-Customer Portal based Eventforce application development. Part ofthis application includes a flex calendar embedded inside a visualforcepage. This calendar shows user's event attendance details.

 

Flex being a non nativelanguage to Salesforce, to interact with salesforce we either need to hard-codethe username password or pass in the session id. Both the approaches haveattached con to it, of opening security to certain extent. So in best interestof security we made the interaction between flex and Salesforce possible usingfollowing approach  

 

  1. Create a Force.com Site
  2. Expose a VF page which accepts userid as input and returns his/her attendance details in JSON format
  3. Now, flex makes a HTTPRequest to above site url with userid as input, gets the JSON response back and parses the response and displays the attendance in graphical format inside flex.  

 

During this interactionwe are facing a security hurdle .... on accessing visualforce pagehttps://c.cs0.visual.force.com/apex/myCalendar which hosts the flex file"CMScheduleFlex", i recieve following error ...

 

Error #2048: Security sandbox violation: https://c.cs0.visual.force.com/resource/1269610884000/CMScheduleFlexFile cannot load data from https://qlikview.qonnect.cs0.force.com/mycalendar/scheduleService

 

Here https://qlikview.qonnect.cs0.force.com/mycalendar/scheduleService is a site URLbeing HTTPRequested from Flex to retrieve in return JSONresponse.

 

This seems like a crossdomain problem. I read on net that this has something to do with crossdomain file, what I know is that it's an xml file located in the root of theweb server, with something like this 

 

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*" to-ports="*"secure="true" /></cross-domain-policy>

 

 

Also, few forums mentionthese instructions:

 

Security.allowDomain()Security.allowInsecureDomain()

 

But the question is where do we place the crossdomain.xml file in case of Salesforceor where do we write the lines Security.AllowDomain.  Any help or suggestions? 

 

Please note that 

There exists a cross domain xml located on each salesforce instance for eg 

https://qlikview.qonnect.cs0.force.com/mycalendar/services/Soap/cross-domain.xml 

 

Both the url's are being served from same domain, but not same sub-domain. In that case how can datatransfer between two different sub-domains be allowed?

Message Edited by Chirag Mehta on 03-29-2010 11:32 AM
Ron HessRon Hess

i believe Flex requires the same subdomain to transfer data, not sure

 

when i access this https://qlikview.qonnect.cs0.force.com/mycalendar/scheduleService

 

i get a security exception, not sure how this domain is configured, but that looks strange to me.

Chirag MehtaChirag Mehta

yes, i too read the same that from recent releases of flex even the sub-domain needs to be same for data interactions.

 

Is the security exception something to do with the issue? if yes, can you please explain more on how to handle the security exception. 

Message Edited by Chirag Mehta on 03-30-2010 08:43 AM
Nick34536345Nick34536345

I suspect that it's not possible to modify the crossdomain.xml,

 

but can't you just publish your "myCalendar" page with the flex, on your Site and access it through your Site domain, so that the domains match?

BrendanOCBrendanOC

Cross Domain policy files are a Good Thing.  Salesforce has master policy files at the root of every app server:

https://na1.salesforce.com/crossdomain.xml

https://c.na1.visual.force.com/crossdomain.xml

etc.

 

There are also less restrictive crossdomain.xml files in certain sub-directories, such as the web services api:

 https://na1.salesforce.com/services/Soap/crossdomain.xml

 

Flash's sandbox model is just like the browser's same origin policy:  You cannot talk across domains by default.

Crossdomain.xml provides rules for when cross domain communication is possible.  You are not able to change the crossdomain.xml file of a Salesforce server, because it would apply to all users, not just your org.

 

 

To get your app to work, you need to serve it from the same domain you're trying to communicate with, or you must call the web-services api under /services/Soap/*

 

If you can provide a bit more information on exactly which domain is hosting the Flex and which URLs you're trying to communicate with, I can try and give you a more detailed solution.

 

Hope that helps!

 

Chirag MehtaChirag Mehta

Yes, its not possible to modify crossdomain file.

 

I do hear your option of publishing the "myCalendar" page with the flex on the Force.com site, but in my case, mycalendar page is part of Customer Portal (Attendee Portal) so its not possible to publish mycalendar page as site page.

Chirag MehtaChirag Mehta

@Brendan

(Nice to talk tto you after long time, we did converse during Dreamforce Attendee Portal development)

 

  • Flex file is hosted inside mycalendar page which is part of Eventforce Customer(Attendee) Portal.
  • ScheduleService page is a force.com site page, HTTPRequested from flex.
  • ScheduleService page intakes userid as input and prints/outputs a JSON string as page content.
  • This JSON string is parsed by the flex to develop flashy boxes in the flex calendar showing various attendance.

In my case one is customer portal and other is Force.com site, so its not possible on both to have same sub-domain. Seems design issue or do u see any approach on how to solve this.

BrendanOCBrendanOC

If you have 2 domains (let's say na1.salesforce.com and MySite.force.com), you can't get them to communicate directly.  If the Flex App is served off of MySite.force.com, it can read/write to anything on MySite.force.com. 

 

Instead of hosting the Flex app directly on the portal (na1.salesforce.com domain) can you host the Flex app at MySite.force.com?  If you host it there, it can read/write back to ScheduleService and consume JSON.  If you pass Flex an API token when the app is loaded in the browser, it can use the API token to call na1.salesforce.com/services/Soap/ and talk to the SOAP web services API.  That should allow you to get user context and other necessary data from the Portal org, while keeping the app in the MySite.force.com sandbox.

 

If that won't work for some reason, or I'm misunderstanding the problem, let me know.