powered by Jive Software

BOSH / eJabberd : not-authorized (401)

Hello everyone,

I did not come here for quite a long time, but as it seems to be more active around here than before, I hope to have an answer to my problem. There will be a bit of history, but please be patient, I really need help (like everyone :/)

I’m working on a Flash application since February 2008 which used a Flex API of ours. This application is connected to an eJabberd server and we always used the previous version of XIFF (XIFF 2 I think). We never have to update it though because it always met our requirements.

But now, our client wants to use HTTP binding. I was already in charge of trying it last year (or I can’t recall exactly when) but it failed. It was just to give it a try because using the XMPPSocketConnection was enough and great. So I downloaded the last version of XIFF (from SVN trunk) and started to work on updated our API to reflect the changes.

I skip all that concerns crossdomain policy and so on : I finally got my eJabberd server to work with HTTP binding on port 5280 and Flash is able to find the crossdomain file. Our application works like a charm locally…

**But when I try on the webserver, I receive a “401 not-authorized” response from XIFF (but not from eJabberd - at least I see nothing in logs and even not a trace of an incoming event of any kind). **I thought immediately about crossdomain and security and all since it works locally but the crossdomain file is here and read and all. Flash has not problem, it’s eJabberd which seems to answer differently…

So if someone has any ideas… any help would be appreciated.

Thanks for reading

Could you post a simple version of your connect/login actions so we could see where the failure comes?

You could try tracing if the problem actually comes from the XIFF handling the login wrongly…

Thanks but I solved my problem this morning here’s the story…

Knowing that the error was throwing by XIFF (and not even reaching eJabberd), I tried to add some traces (like you suggested) in XMPPBOSHConnection.as and XMPPConnection and I discovered that I was going through the security error event handler after sending the request with URLRequest.

Then I could see the error with the text property of the event to see that it was a crossdomain policy error. But why ? My crossdomain.xml file was successfully retrieved and loaded… But finally in the documentation of Adobe, I saw that I had to add an attribute in my crossdomain.xml file, in the allow-access-from node : secure=“false”

Because I put everything behind HTTPS, I had to allow HTTPS policy files to be requested by HTTP sources meaning that if I want to use http binding with HTTPS, my application must be reached too through HTTPS. It seems I can’t have a SWF at a given HTTP URL accessing a crossdomain policy file with HTTPS…

This can be resolved by setting the property “secure” to false in the allow-access-from node of the crossdomain.xml file. Even if it is not recommended

As far as I’m concerned, my boss decided not to handle HTTPS and that our http bind should remain with the port 80.

But if it can help someone one day

Could you write this in the head comment of the BOSH connection class, in order to clarify such use cases?

Once you have it in there, please attach a patch here.

Sorry but what exactly do you ask me to do ?

Please write of your discoveries in the head comment of

http://svn.igniterealtime.org/svn/repos/xiff/trunk/src/org/igniterealtime/xiff/c ore/XMPPBOSHConnection.as

where it sayd now just “Bidirectional-streams Over Synchronous HTTP (BOSH)” followed by the @see tags.

It will then appear in the API documentation:

http://paazio.wippiespace.com/xiff3doc/org/igniterealtime/xiff/core/XMPPBOSHConn ection.html

This will make the usage of this class as well as the library easier as the documentation and discoveries, etc are available directly in the source.

I tried but it seems I’m not allowed to commit any changes in the class

Here is what I was writing in the head comment :


  • Bidirectional-streams Over Synchronous HTTP (BOSH)

  • @see http://xmpp.org/extensions/xep-0124.html

  • @see http://xmpp.org/extensions/xep-0206.html

  • Using BOSH do not prevent your application from respecting

  • Adobe Flash Player policy file issues. HTTP requests to your

  • server must be authorized with a crossdomain.xml file

  • in your webserver root.

  • For eJabberd users : if your crossdomain policy file cannot

  • be served by your server, this issue can be solved with an

  • Apache proxy redirect so that any automatic Flash/Flex calls

  • to an URL like http://xmppserver:5280/crossdomain.xml will be

  • redirected as an URL of your choice such as

  • http://webserver/crossdomain.xml

  • Warning: if you are using BOSH through HTTPS, your crossdomain

  • policy file must also be served through HTTPS. Your application

  • (if online) must also be served through HTTPS else you will

  • have a crossdomain policy issue. This issue can be solved by

  • using the secure property of the allow-access-from node in the

  • crossdomain.xml file. But this is not recommended by Adobe.