powered by Jive Software

Crossdomain connections using XIFF

Has anyone gotten XIFF to connect to Openfire cross-domain? For example, my Openfire server is running on host “openfireDemo”. If my XIFF IM client is being served up from openfireDemo, it works fine. But when I try to server the XIFF client from localhost, it can’'t connect to Openfire.

I’‘m thinking this is a crossdomain.xml security issue with Flash 7+. So, I’'ve tried the follwing XML:

<?xml version="1.0"?>

I have tried serving this up on:



I can’'t seem to figure out how to get it served from: http://openfireDemo:5222/crossdomain.xml. Is that a requirement?

Also, I have tried the following in my actionscript:


None of this works. Any ideas?

1 try connecting to localhost to check if webfire running

2 try using localhost as server parameter in connection

i had same problems due to security issue and now i have ready version without crossdomain.xml

connection.username = “test”;

connection.password = “test”;

connection.server = “localhost”;

connection.port =5222;

room = new Room(connection);


room.roomName = “test”;

room.conferenceServer = “conference.localhost”;

sure thing is to test on localhost

on other willnt work becouse Alert.show(Security.sandboxType);


In this reply, client will be named openfireClient

-When you connect openfireDemo from openfireDemo, it works well (no need to crossdomain.xml, logical)

Question: what is the jabber domain name? localhost, ip address or openfireDemo? what is the jabberid in the jabber database?

-When you connect openfireDemo from openfireClient, it doesn’t work

You tried to add a crossdomain.xml file on the root of the server

Question: what is the jabber domain name? localhost, ip address or openfireDemo? what is the jabberid in the jabber database (cseibert@localhost will be understandable only if localhost of the client is localhost of the server (means same machine))?

Question: what is the error? cannot connect, bad password, bad login?

  1. Try not to use localhost as a configuration name (always use openfireDemo, and modify the client host table it not done yet).

  2. Your username should be cseibert@openfireDemo (not a thing to do, but a thing to check)

  3. Can you access the file http://openfireDemo/crossdomain.xml from openfireClient?

Yes: not a crossdomain.xml problem

No: fix this problem (apache, file permission…)

  1. Ports 9090,9091 and 80 are useless in your crossdomain.xml, 5223 is discutable since XIFF doesn’t support secured xml (or a lot of things changed sinced B4 release!)

  2. In case of login problem due to jabber domain change, try to recreate a new account to check it this works, if it works, you’ll have to modify your jabber accounts from username1@yourOldServerName to username1@yourNewServerName. If it does not work, check with a known working client (Gaim, Miranda, Exodus…).

Good luck

Are you guys saying that you have gotten this to work? Since I posted this, I found an open issue for this that still is not closed out:


This would seem to indicate that this simply doesn’t work yet. The main problem seems to be that you can’t serve the crossdomain.xml from any port other than the port that XIFF is connecting to (5222). Right now, that daemon won’t respond to HTTP requests for the crossdomain.xml file.

Of course I get it to work, that’s so easy

go to http://xiffian.sf.net , test xiffian : you’ll connect with the client located on sourceforge.net (and in your webclient cache) to my server which is in my appartment, usuc.dyndns.org… And if you look at http://usuc.dyndns.org/crossdomain.xml, you’ll see the crossdomain.xml file which will allow clients from other servers to connect this station on port 5222…

This file is served on port 80, because apache serves it.

Your problem seem to be that you want to use an apache server and an openfire server on the same port, and you expect this to work? a http server and a jabber server on the SAME port? nothing weird?

I won’t solve such issues, those issues are due to lazyness… RTFM! Macromedia security sandbox is simple… Getting this file served from 5222 is non-sense for me…

-This file is used to tell flash clients what ports external clients will access to on the server serving this file.

-The externally-served flash client checks if it has to access a port >1024 (below doesn’t work). If it has, the flash player on the user machine checks the coldfire-server on port 80 (crossdomain.xml) to see if it permits those external connections (that way you can block your coldfire server from being used by other flash applications, like other xiff clients).

Just put you crossdomain.xml file to be served on your coldfire server on port 80 on the root of the web server (using apache for example), and THATS ALL!

Whatever… Do as you like

The one way I’ve gotten this to work is to setup a webserver on the same machine as the chat server, use the webserver to host the crossdomain.xml, and then the line : Security.loadPolicyFile(“http://localhost/crossdomain.xml”); will just point to the appropriate place as served by the web server. When setting up your webserver though, just make sure you are careful of the ports. I believe Openfire uses 8080 as the admin port, so either change Openfire to use a different port (one of the config files in your Openfire install directory) or change the port the webserver uses.

It seems that you can also use XMLSocket in Flex, but I haven’t had the time to check that out.

You can use XMLSocket to do the job if the server handles it (but then you’ll have to configure it, if the feat is implemented…).

If it cannot, you MUST have a webserver to serve the file.

Still can’t get this to work. Here is my setup:

  • Openfire is installed on host “chase”, with the Openfire domain “chase”, ie “cseibert@chase”.

  • http://chase/crossdomain.xml exists and is set to the contents boris provided.

  • The SWF calls XMPPConnection.connect with the parameters “chase”, “cseibert”, “xxx”.

  • If I load the SWF from http://chase, it works.

  • If I load the SWF from http://localhost, it doesn’t work.

If I set the XMPPConnection.connect parameters to “localhost”, “cseibert”, “xxx”, then

JID is “cseibert@chase/xiff”

I have attached a debugger… it looks like it’s not throwing the security error. It gets to socket.connect(server, port) in XMPPConnection.as, line 272. Then nothing happens. None of the events appear to fire. Definitely not SecurityErrorEvent.SECURITY_ERROR, which I would expect.

Got it. I did have to do the following:


I’m not sure why it didn’t try to load that final automatically.

It’s weird…

Anyway, if it works…

I’m working with a team trying to incorporate SAML 2.0 based Single Sign-On. Our security requirements necessitate multi-factor user authentication in one (several) domain(s) to a common chat server (unexpected user).

Our desire is to create a hyperlink on a wiki to a chat room. The hyperlink invokes the SAML exchange, launches the client (XIFF ?), and the user is granted access to the room / channel specified in the SAML assertion. Also, some authenticated users (trusted) require anonymity (use pseudonyms for ‘user’).

This thread leads me to believe that cross-domain is very realistic, but can the library support signed SAML assertions?

Any opinions are welcomed.

Kind Regards,


Security.loadPolicyFile("xmlsocket://" + server + ":5229");

I know I’m probably dragging this question out a bit…

I’ve got an AIR application which contains code like this (I’ve stripped out the obvious bits):

<mx:WindowedApplication … creationComplete=“onCreationComplete()”>

    private function onCreationComplete():void

        connection = new XMPPSocketConnection();
        connection.username = "myusername";
        connection.password = "mypassword";
        connection.server = "openfire.blah.co.uk";
        connection.port = 5222;
        connection.addEventListener(LoginEvent.LOGIN, onLogin);
        connection.addEventListener(XIFFErrorEvent.XIFF_ERROR, onError);   

    private function onError(e:XIFFErrorEvent):void

If I telnet to port 5229 I get the following cross domain XML:

<?xml version="1.0"?>

However, when I run the app. I get the usual 2048 error in the console:


                 <-------------- Long pause here (about 5-10 seconds)

there was a security error of type: securityError
Error: Error #2048: Security sandbox violation: app:/xiffer.swf cannot load data from openfire.blah.co.uk:5222.

The code isn’t getting to the login event. Does anybody have a clue as to why this isn’t working? All the comments I’ve found on the web seem to point to the “Security.loadPolicyProfile(…)” bit being needed.


I apologize for this automatic reply to your email.

To control spam, I now allow incoming messages only from senders I have approved beforehand.

If you would like to be added to my list of approved senders, please fill out the short request form (see link below). Once I approve you, I will receive your original message in my inbox. You do not need to resend your message. I apologize for this one-time inconvenience.

Click the link below to fill out the request:

https://webmail.pas.earthlink.net/wam/addme?a=vzander@earthlink.net&id=1lszHh2fx 3Nl36K1//webmail.pas.earthlink.net/wam/addme?a=vzander@earthlink.net&id=1lszHh2fx3Nl36K1