Why socket policy file server?
Since Flash player 9 you can no longer use the HTTP based crossdomain.xml file to specify cross-domain policy for socket based server as part of the on-going security enhancement from Adobe. Therefore a specialized socket file server (default on 843 for master policy) needs to be created to return the policy file(s) for the socket based client. See Policy file changes in Flash Player 9 and Flash Player 10 for more details.
Whats the expectatoin?
The basic idea behind this file server is fairly simple. The server will wait for the policy file request from the Flash player sent directly by the Flash player. The policy request is just a string
offollowed by a
NULLbyte (00), upon receiving the request the server will return the content of the policy file.
Whats the catch?
1. String chararacter set
In Adobe's document there was no mentioning of the encoding charset for the returning string, and based on my experiment I found the Flash player did not like the UTF-8 encoding in Java. Probably because Java DataOutputStream uses a modified UTF-8 encoding. At the end I found that ISO-8859-1 worked out pretty well with the Flash player, and since your policy file should not contain any unicode character anyway I think this is a pretty good approach.
2. Write timing
One interesting thing I found is although Adobe mentioned in their documentation the request handling should be in the following sequence:
- Receive request
- Verify request
- Write policy content
- Close socket
3. Close your socket
In Adobe's documentation it mentioned that the Flash player will close the socket as soon as it received the policy file, but based on my experiment it seems that Flash player performs less consistent if the server does not close the socket right after the content is written.
Hope this information will help you save some time while implementing your own policy file server.