The SAMP protocol is defined in two parts, as an abstract API and as transport-specific Profiles. One or more Profiles may be offered by a SAMP hub to allow clients to communicate with it. At present, JSAMP offers two basic profiles, the Standard Profile, intended for normal desktop-based clients, and the Web Profile, intended for browser-based clients (some variants of these are also possible). These are described below.
By default, the hub is configured with both Standard and Web profiles available, but only Standard Profile switched on by default. If you want to use the Web Profile, either configure it to start using command-line flags to the Hub command, or equivalent programmatic settings. To switch on the Web Profile as well as the Standard Profile by default in the hub, you can do one of the following:
hubcommand with the flag "
The Profiles menu in the hub window looks something like this:
and from the system tray icon something like this:
Checking one of the checkboxes has the effect of turning the profile in question on, and unchecking it turns it off. When a profile is turned off, any clients registered using that profile are forcibly ejected from the hub.
The Standard Profile is intended for use by normal desktop tools.
Clients discover the location of the hub by looking in a file named
.samp in the user's home directory.
The fact that this file is normally only readable by the user running
the hub means that connections cannot be made by other users.
The Web Profile is intended for use by web applications, that is, programs or web pages running inside a web browser. Web applications can find the hub at a well-known port. When a web application wants to register, the hub will ask the user, by popping up a dialogue window, whether the application should be allowed to run. The dialogue window will look something like this:
There are a number of configuration options available for the Web Profile
hub, connected with security.
They may be set on the hub command line, with the various
options, or using the Profiles|Web Profile Configuration menu.
The options are as follows:
clientaccesspolicy.xmlmechanism. Silverlight is believed to support the Flash mechanism, so you can and should probably leave this switched off.
Note that the configuration options may only be changed when the Web Profile itself is not running.
You may be able to find an experimental Web Profile client here.
The JSAMP 1.3 Working Draft discusses security in relation to the Web profile to some extent, but notes that there are outstanding security concerns, and that experimentation will continue in hub implementations around this issue.
The security measures taken by the JSAMP Web Profile implementation relating to the Web Profile are:
file:///etc/passwd. This policy does not constitute bulletproof protection of local resources to malicious web-profile clients, but it does guard against some straightforward attacks. This policy is on by default, but can be switched off and on using the Profiles|Web Profile Configuration|URL Controls menu item from the hub GUI, or with the
-web:[no]urlcontrolhub command-line switch.