I ran the example here: https://github.com/crossbario/crossbarexamples/tree/master/wss/python, and everything works fine.
However, the following case does not work for me:
The config.json file:
{
"controller": {},
"workers": [
{
"type": "router",
"realms": [
{
"name": "realm1",
"roles": [
{
"name": "anonymous",
"permissions": [
{
"uri": "*",
"publish": true,
"subscribe": true,
"call": true,
"register": true
}
]
}
]
}
],
"transports": [
{
"type": "web",
"endpoint": {
"type": "tcp",
"port": 9000,
"tls": {
"key": "server_key.pem",
"certificate": "server_cert.pem",
"dhparam": "dhparam.pem",
"ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
}
},
"paths": {
"/": {
"type": "static",
"directory": "../web"
},
"ws": {
"type": "websocket"
}
}
}
]
}
]
}
The web/index.html file is just to see if the TLS works:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Router</title>
</head>
<body>
This is a router.
</body>
</html>
I generated the certificate and everything works well if I connect to the website at https://127.0.0.1:9000. The page loads correctly.
However, I set up another project in node.js to try to register something.. (code taken from the page load count example)
The code in server.js:
var connection = new autobahn.Connection({
url: 'wss://127.0.0.1:9000/ws',
realm: 'realm1'}
);
connection.onopen = function (session) {
console.log("connected to WAMP router");
app.session = session;
// REGISTER a procedure for remote calling
//
function get_visits () {
return app.visits;
}
session.register('com.example.get_visits', get_visits).then(
function (reg) {
console.log("procedure get_visits() registered");
},
function (err) {
console.log("failed to register procedure: " + err);
}
);
};
connection.onclose = function (reason, details) {
console.log("WAMP connection closed", reason, details);
app.session = null;
}
connection.open();
Now, wss://127.0.0.1:9000/ws is the correct URL for the router, however I always receive the following:
WAMP connection closed unreachable { reason: null,
message: null,
retry_delay: 1.8090544409276008,
retry_count: 1,
will_retry: true }
It can't connect to the server.
I am sure some basic concepts are escaping me, perhaps you can lead me in the right direction.
If you are using a self-signed certificate, you'll need to tell your browser to trust it or the connection will fail at the TLS layer.
I recently added client-certificate support and a fully-worked example of this to the 'crossbarexamples' repository: https://github.com/crossbario/crossbarexamples/tree/master/authenticate/client_tls
In the above-linked example, you would import the intermediate CA certificate to your browser (or the self-signed root CA certificate).
If you add
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
in in your server.js code then node.js should accept the self signed certificate. (See the discussion on an node.js issue here.
Related
We are currently developing an ASP NET Core Web API hosted in a Kestrel Windows service. We want to enable TLS 1.3 only and disable all other SSL protocols.
The following code works. TLS1.2 and TLS1.3 are both enabled.
{
"Kestrel": {
"Endpoints": {
"HttpsForDeveloper": {
"Url": "https://localhost:5001",
"SslProtocols": ["Tls12", "Tls13"]
}
},
"Certificates": {
"Default": {
"Subject": "localhost",
"Store": "My",
"Location": "LocalMachine",
"AllowInvalid": true
}
}
}
}
But if I change the code block to remove TLS1.2. Is the page no longer available.
{
"Kestrel": {
"Endpoints": {
"HttpsForDeveloper": {
"Url": "https://localhost:5001",
"SslProtocols": ["Tls13"]
}
},
"Certificates": {
"Default": {
"Subject": "localhost",
"Store": "My",
"Location": "LocalMachine",
"AllowInvalid": true
}
}
}
}
In Postman I get the following error:
Does anyone have any tips for me or know what I'm doing wrong?
The problem was the lack of support for TLS 1.3 in the Windows versions we used. I was able to solve the problem with the following article.
https://stackoverflow.com/a/59210166/6092585
I am integrating a Spring Boot application with OIDC. The customer has an OIDC manifest file, at https://example.biz/.well-known/openid-configuration, which is redacted as displayed later.
Problem
When I attempt to authenticate via Swagger, the authorization endpoint complains that a parameter is missing. I could see that Swagger does not send the client_id parameter in (it's actually empty).
Please note, I expect that 99% of the configuration is handled by Springdoc after the OIDC configuration URL.
Question
Why doesn't Springdoc/Swagger OIDC setup work according to the existing setup and OIDC manifest?
Set up
OIDC manifest I can retrieve from authorization endpoint
{
"client_id": "the-clientid",
"issuer": "https://...",
"authorization_endpoint": "https://...",
"token_endpoint": "https://...",
"userinfo_endpoint": "https://...",
"jwks_uri": "https://...",
"end_session_endpoint": "https://...",
"registration_endpoint": null,
"scopes_supported": [
"openid"
],
"response_types_supported": [
"token",
"id_token",
"id_token token"
],
"response_modes_supported": [
"form_post",
"fragment"
],
"grant_types_supported": [
""
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"sub",
"iss",
"aud",
"exp",
"iat",
"auth_time",
"nonce"
]
}
I import this scheme using Springdoc's #SecurityScheme annotation
#ConditionalOnProperty(...) // I can switch between basic (dev) and oidc authentication (test, uat, prod)
#SecurityScheme(
name = "secured",
type = OPENIDCONNECT,
openIdConnectUrl = "${oidc-url}/.well-known/openid-configuration" //Parameterized URL works here
)
public class OidcConfiguration {
}
Swagger displays me the Authorize button on top of the page.
However, when I see the generated Swagger OpenAPI v3 schema, it looks like the following
{
"openapi": "3.0.1",
"info": {
"title": "API",
"version": "v1"
},
"servers": [
{
"url": "http://localhost:8080",
"description": "Generated server url"
}
],
"paths": {
"/api/v1/.....": {
"patch": {
"tags": [
"...."
],
"operationId": "...",
"responses": {
"200": {
"description": "OK"
}
},
"security": [
{
"secured": []
}
]
}
},
"/health.check": {
"get": {
"tags": [
"probe-controller"
],
"operationId": "healthCheckProbe",
"responses": {
"200": {
"description": "OK",
"content": {
"*/*": {
"schema": {
"type": "boolean"
}
}
}
}
},
"security": [
{
"open": []
}
]
}
}
},
"components": {
"securitySchemes": {
"secured": {
"type": "openldConnect",
"openldConnectUrl": "https://...."
}
}
}
}
As you can see, the JSON file points to the remote OIDC configuration, and Swagger retrieves it.
But when I click on the Authentication button, I can see in the popup
secured (OAuth2, )
OpenId Connect URL: https://.....
Flow:
Scopes (select all, select none)
[ ] openid
According to this, I am not prompted with any client id. Clicking on Authorize opens a new window where I can't debug the original URL, as I am immediately redirected and DevTools is not open yet.
But after login request, I could see that the next URL displays ?client_id=&.....
If I manually navigate the URL with the client ID set, I can be redirected.
I also tried to set springdoc.swagger-ui.oauth.clientId=some client id according to linked issue, but it didn't display the input box.
Hi I have created one HTTPS service using mountebank tool - however I am getting "Socket Hang Up " error during impostor creation. Below are the steps followed
Added the CA authorized certificate in postman tool under 'Settings under that Certificates tab'.
Impostor creation
Impostor config:
{
"port": 4549,
"protocol": "https",
"mutualAuth": true,
"key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDvLC9pnYOPJ54\nWrATkuuA7c41aVOy6nBnbK7ogIn/H+p2Fl8Xubqov1vkoIbo3mktM07G1cOGGPhD\nh3UXQl8+xjlPO+VBGT9H80eR+1G8VcBLPxuPHtua/CfLX2g4AzNeSoHPw89o5Xkv\nWhXjadyg7RDt80dfYKzXoElHBvM4nR1ngIRGFrin+PPavVZp/LTRsHWHSp8EOsLy\nf/+RHYYoNDDt/Yhla2sfFRJz5Sqzpmerzeaww1kZg2f9uuJoTT+NzNfmQ+jdnyW/\nMbtG2O0aXit+wRzBOVhcOqn2pYL4kvDXsVOWhTt4J3j1F+3rXXDWrUtKOV/WdE3z\nnqBQOT91AgMBAAECggEAdrR7Nzi5hd7LeE//Uo+aVUFi+k9bHDlDW+W0mXpCtj9j\n0KO2ncvcYLRUhW25A4bGoEvqbXl8L1n7TfDbWPS+kHJklSHM4dLu5rKqZ+TTZ/VV\nPg0SqJRdODvN4m+E49tFDtz+psKoiYQJH2dxuM4dqFa9GqGcWkJl8ArcBcA4Rs8q\nSij1fpqoVHCM0iELJZdWgZrsTHwZ07BJ057+GUbYrirXa5lYvM3/i0HafirWxJBT\nAGxdMw+bGcKsxYaIlwq4jGOKb/3txwIOgZJ6PG1XCqiiEjVhbNDEvwLhgSIEnkct\n14bhylRupKDWU425pnKWPFiek6ucEwMzzDqr6fj6gQKBgQDlhFhnITKd7YoHirwP\nLLmI8JNrxrMlWqoRimXtVVknlV60byIULBOigPDK1nMnC2kfGmXWueR1SQd6nXhE\na2r0sPqHX7AL2mzYYph8endTwKv1DQLLF25Hw2ht90pSaT70SRjc5GtVDVGA0tp6\nQYiRnmSYpd2fOTPBVRQn0VFU1QKBgQDaUocJuiRwKxaWtNjdgvoxjD/qxKdHk/lZ\nuZ1ZKsntp7z+XSPI8uEfyhfMb58by7JkJnaTla7H01u2Sm+ZzCR2zyp5d9TmdJr3\nVLIOuQ+QCV8reEJF3/YYDPmtFUc5V/SgOEfaCpFWO9hdmo1j+Mwj0U4ic1c52bF7\nTY3tubAQIQKBgQC4pB7GYLOqz3Uymg6umolsPDYtBz4JuAWHdPKI2xeNO6Jjv+AH\noGnvWpHcbGdZKtnX1tHEy+mZ3TVyFAqz6EK0NUhm7bjf4EmeTrtjsNYcf60Wx+/O\nWLw0aWSyyrV01Qx7U+73jZ83Xi6KV5bBscTfeTBuiUlglZEoYHyFh+RJPQKBgDcP\nOR8q4qWnODspwMeckJyOUlBS6B0VJH2MYjJqqCJXe0JrGutC1aO+w+G7BNVtub+o\nM59k0H90vlxqyVpwMYIFHSElJ3w3TB20LnOoGFSrCGVeHtigct/95bnQ8/VySS9f\nAj/rClxFG3v/zki4JkOiNaJalFTyoeAG3xRlEBIBAoGASC4gdy+tSZMS9420Rj4b\nYoLwA3zTGkkefg0//4tO0RP2UhisnK9GxDLBP3PMnXGileJJ/fcHznWTj2ISVKW7\n3HjHjSDvUS8aaQ201QH8p+9bljYZ4L7pU5cbGWeMMZKp6wn08tx7XSB8qhDPhjeR\nKLBP7HSOBEeH1oKdp5tCIa8=\n-----END RSA PRIVATE KEY-----",
"cert": "-----BEGIN CERTIFICATE-----\nMIIGZDCCBUygAwIBAgIRAIjdWBd3Fgl0ufH3IMCU9YYwDQYJKoZIhvcNAQELBQAw\ngZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO\nBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD\nVQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg\nQ0EwHhcNMTgwNDA1MDAwMDAwWhcNMTkwMzIxMjM1OTU5WjBeMSEwHwYDVQQLExhE\nb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp\nbGRjYXJkMRowGAYDVQQDDBEqLmluZm9zdHJldGNoLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAMRSsjPxJWiRwJlSy3W1GLbzmddtvO6tfUVLfBTo\nQZgv6rLpbs63SM4lp0xK9lmCCHUXEWhipK0xB5IuuYQsxlW78V9lyZl+cnMUlr6M\n/XtKlv/IpSkxMD8YNJbLbhFhbRe66LEE8de/M8u7i3mxAbaSDNKyjKugJ/FyLvTy\nHWF5hbQGIfdz+57l9QH8OTYtsI7nmS+sZmwYDDjAerZKKTYLwZG7llixmL1ej6wU\nKOd6wuV0hc4dOZqUJ8fuylYE5yZ/7GIY/P1R8NPKjsA3YWhVxc2nMRzTihQyA6R5\nK+nWxkUGGGW7V29nclaAwrTQyY53bYaO/5E6G1j9cY73CHUCAwEAAaOCAugwggLk\nMB8GA1UdIwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBScle59\nt6iD7IBAUZKRlKoGP4A/GzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAd\nBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEE\nAbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29t\nL0NQUzAIBgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21v\nZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB\nLmNybDCBhQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNv\nbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVy\nQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wLQYD\nVR0RBCYwJIIRKi5pbmZvc3RyZXRjaC5jb22CD2luZm9zdHJldGNoLmNvbTCCAQUG\nCisGAQQB1nkCBAIEgfYEgfMA8QB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDE\ne4l6qP3LAAABYpSbyqIAAAQDAEgwRgIhAJUu1vCoNhXPYiPnBOLCmPBCbCSgru9t\n5lLfAkXWwm/vAiEAy8WAtA2+ZTjYNXboJlVjkXaSeaYmVgU9bseV2NGCqesAdgB0\nftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWKUm8rkAAAEAwBHMEUC\nIG85+amRuKn/dEygyPSWSeSHq+tHA3UPwa/DXtuzRlgqAiEA7d4N0zQZ/611p5yA\nmnIPs+LRV/JcvafXHQTkaNA+7KQwDQYJKoZIhvcNAQELBQADggEBAIM1pD3NRA5c\nQo8tPWF2qq+mA4cPULpt/XJsFrKFqcDf14XTGML0adS06ZpjvnjMmUoIt3gpuXgf\n1t+mtJ8Ze7vBz1gUpB5eBIvcU10IHVUTbqVv2PlnadQZ6yDy+4SPEfwdJelMDt6d\nTcvFDWB+KqUKz5a2YvCif/WGGWmQ09sVuZ7QCMK3JD7ym+L1k9G5cFfm9Kf7pAQE\n4PO/4kYM8+DN4ujqkaT20DN4Zh+jZVM/p5CwvqPe0HFv7zYiukFENJeFcMMtwS+n\n8XI3MU3VWT1L2+PbdPJ+sKd6fDwIIJmWVMsOT5tFwB/zIkwXv1aEjHfHprDuLPi4\nRKBzyPQF3Ts=\n-----END CERTIFICATE-----",
"stubs": [
{
"responses": [
{
"is": {
"body": {
"accountNum": "123456789",
"statusCode": 200
}
}
}
],
"predicates": [
{
"equals": {
"method": "GET",
"path": "/test",
"headers": {
"Accept": "text/plain",
"Name": "abc"
}
}
}
]
}
]
}
Through many searches I've gotten the script in question to work as expected. If the user clicks on a button on my web page then a contact will be created in their Google Contact list (if authorized).
The problem I'm left with is that the authorization never expires. In that once successfully authorized the user can press the button many times, even come back to the page later in a different session, and it will never ask for authorization again.
Perhaps this is the intended behavior of the GoogleAPI but for my intended purpose I don't expect any more than 1 click and I would expect if the user came back to my page at a later time that they would be asked to authorize again.
Is this possible? I've tried the following ...
gapi.auth.signOut();
gapi.auth2.signOut();
gapi.auth2.disconnect();
revoking the token (see end of post)
... with no success.
Code can be found here:
https://jsfiddle.net/brian_hill/chvtmmjr/7/
function addContact(entry) {
var config = {
'client_id': '403037917634-qproaer1g5gcq83c941heo4q07olol23.apps.googleusercontent.com',
'scope': 'https://www.google.com/m8/feeds',
'cookie_policy': 'single_host_origin'
};
gapi.auth.authorize(config, function() {
insert(config, entry);
});
}
function insert(config, entry) {
gapi.client.request({
'method': 'POST',
'path': '/m8/feeds/contacts/default/full/',
'headers': {
'GData-Version': 3.0
},
'body': {
'entry': [entry]
},
'callback': function(data) {
if (data.hasOwnProperty('entry')) {
var msg = "Your Google Contacts have been updated to include ";
window.alert(msg.concat(data.entry.title.$t))
} else {
var msg = "Contact information could not be added for "
window.alert(msg.concat(entry.title.$t))
}
}
});
}
And the HTML
<script src="https://apis.google.com/js/platform.js" async defer></script>
<script src="https://apis.google.com/js/client.js"></script>
<body style="background-color:rgba(32, 177, 17, 0.3);">
<p>
The button below will add a contact to your GMail contacts</p>
<div style="width:150px">
<script>
function addJohn() {
var entry = {
"category": [{
"scheme": "http:\/\/schemas.google.com\/g\/2005#kind",
"term": "http:\/\/schemas.google.com\/contact\/2008#contact"
}],
"title": {
"type": "text",
"$t": "John Doe"
},
"content": [{
"type": "text",
"$t": "[Automatically Created]"
}],
"gd$email": [{
"rel": "http:\/\/schemas.google.com\/g\/2005#other",
"address": "john.doe#abcd.com",
"primary": "true"
}],
"gd$postalAddress": [{
"rel": "http:\/\/schemas.google.com\/g\/2005#home",
"$t": "123 Main Street\nOttawa, ON\nCanada"
}],
"gd$phoneNumber": [{
"rel": "http:\/\/schemas.google.com\/g\/2005#home",
"$t": "555.123.4567",
"primary": "true"
}]
};
addContact(entry);
}
function addJane() {
var entry = {
"category": [{
"scheme": "http:\/\/schemas.google.com\/g\/2005#kind",
"term": "http:\/\/schemas.google.com\/contact\/2008#contact"
}],
"title": {
"type": "text",
"$t": "Jane Doe"
},
"content": [{
"type": "text",
"$t": "[Automatically Created]"
}],
"gd$email": [{
"rel": "http:\/\/schemas.google.com\/g\/2005#other",
"address": "jane.doe#abcd.com",
"primary": "true"
}],
"gd$postalAddress": [{
"rel": "http:\/\/schemas.google.com\/g\/2005#home",
"$t": "321 Unknown Street\nOttawa, ON\nCanada"
}],
"gd$phoneNumber": [{
"rel": "http:\/\/schemas.google.com\/g\/2005#home",
"$t": "555.765.4321",
"primary": "true"
}]
};
addContact(entry);
}
</script>
<button onclick="addJohn();">Add Contact - John</button>
<button onclick="addJane();">Add Contact - Jane</button>
</div>
</body>
(Note: Due to the nature of the GoogleAPI authorization process, it doesn't appear to work through JS Fiddle on either Chrome or Firefox --- I did get it to work on Microsoft Edge).
Thanks in advance,
Brian
PS. Adding my attempt for using the 'revoke' option. Which still doesn't work (I still don't get re-prompted for authorization) but also sometimes it works (updates addresses) and sometimes it doesn't.
function addContact(entry) {
var config = {
'client_id': '403037917634-qproaer1g5gcq83c941heo4q07olol23.apps.googleusercontent.com',
'scope': 'https://www.google.com/m8/feeds',
'cookie_policy': 'single_host_origin'
};
gapi.auth.authorize(config, function() {
insert(config, entry);
}).then(signOut);
}
function signOut() {
$.ajax({
'type': 'GET',
'url': 'https://accounts.google.com/o/oauth2/revoke?token=' +
gapi.auth.getToken().access_token,
'async': false,
'contentType': "application/json",
'dataType': 'jsonp',
'success': function (nullResponse) {
window.alert('Disconnected');
},
'error': function (e) {
// Handle the error
console.log(e);
}
});
}
function insert(config, entry) {
gapi.client.request({
'method': 'POST',
'path': '/m8/feeds/contacts/default/full/',
'headers': {
'GData-Version': 3.0
},
'body': {
'entry': [entry]
},
'callback': function(data) {
if (data.hasOwnProperty('entry')) {
var msg = "Your Google Contacts have been updated to include ";
window.alert(msg.concat(data.entry.title.$t))
} else {
var msg = "Contact information could not be added for "
window.alert(msg.concat(entry.title.$t))
}
}
});
}
Try using the Revoke token instruction in OAuth 2.0:
In some cases a user may wish to revoke access given to an application. A user can revoke access by visiting Account Settings. It is also possible for an application to programmatically revoke the access given to it. Programmatic revocation is important in instances where a user unsubscribes or removes an application. In other words, part of the removal process can include an API request to ensure the permissions granted to the application are removed.\
To programmatically revoke a token, your application makes a request to https://accounts.google.com/o/oauth2/revoke and includes the token as a parameter:
curl -H "Content-type:application/x-www-form-urlencoded" \
https://accounts.google.com/o/oauth2/revoke?token={token}
I am using following jquery live click to display ad from my openx server.
$('.vbox > li > img').live('click',function(){
var videourl = "http://www.indiantripadviser.com/img/video/"+$(this).data('videourl');
var videodur = parseInt($(this).data('duration'));
$('#vidHolder').show();
flowplayer("player", "dist/swf/flowplayer-3.2.7.swf", {
"playlist":[
{
"url": videourl,
"duration": videodur
}
],
"plugins": {
"ova": {
"url": "dist/swf/ova.swf",
"autoPlay": true,
"ads": {
"controls": {
"skipAd": {
"enabled": true,
"showAfterSeconds": 5,
"image": "global/images/skip.png",
"width": 100,
"height": 15
}
},
"servers": [
{
"type": "OpenX",
"apiAddress": "http://advert.visionimpact.co.in/www/delivery/fc.php"
}
],
"schedule": [
{
"zone": "8",
"position": "pre-roll"
}
],
"notice": { "type": "countdown" }
}
}
},
"canvas": {
"backgroundColor": '#F9F9F9'
}
});
});
Now my issue is, if I use the "apiAddress": "http://advert.indiantripadviser.com/www/delivery/fc.php" it works fine but when i change it to "apiAddress": "http://advert.**visionimpact.co.in**/www/delivery/fc.php" it stops delivering ads. I can't figure out where is the mistake, as I created, linked the zone and banner several times.
I am totally out!
Looks like a crossdomain issue. Have you allowed
http://advert.**visionimpact.co.in**
in your crossdomain xml file?
If you are serving your ads from a different domain name than the flash player, you need to install a crossdomain.xml file in the docroot on your openX ad server to allow flash to communicate to it.
Example crossdomain xml :
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>
Ref : http://code.google.com/p/openx-iab-vast/wiki/ExampleCrossdomainXML