• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Can RMI bypass firewall?

 
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am designing an architechure for customer, which has a lot of interacting operations, so I think of using JavaWebStart which client directly access EJB components over RMI/JRMP.

But, between the client and the app server here is a firewall, then a doubt arise, if RMI/JRMP can bypass firewall? if can, how do I do?
 
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Along,

It depends on the Security Policy of the Firewall, whether it is restrictive access from the outside to the inside or vice-versa or both.

If the RMI clients is behind a firewall that has no restriction on outgoing packets (only restricting incoming packets), then it is ok, if not then you have a big problem.

Basically, RMI using a initial default port of 1099,
but the client may have other random ports for each connections.

Take a look at a page that I have found, it has some useful information on protocols/ports :
http://wiki.java.net/bin/view/People/WillieSCEAProtocol

HTH
 
Along huang
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for reply!

To such system, it is obvious to choose thick client, and here are two solutions below,
1. three tirs architecture: client + EJB + database
2. four tirs architeture: client + web + EJB + database

the problem is that I can't make decition of choosing 1 or 2, as they have their own advantage respectively.

to 1, it is efficient and simple, but encountering the firewall,
to 2, it use socket to connect web server, so it can't keep the state of session, therefore, all span-operation state have to be save in client. Furthermore, it is make the client and web server complex.

best regards
 
Yong How, Lim
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you can convince the Firewall administrator to change the Firewall policy... then solution 1 is a preferred choice.

I do not advise on solution 2, unless you need to support additional web-based clients.

Alternatively, you can consider to use RMI Tunneling,
that could get you past the Firewall using normal HTTP ports.

I have not tried it myself, but I believe it should work.
I have done a quick google and found a brief discussion on RMI Tunneling on Sun website, but no detail on implementation :
http://java.sun.com/developer/community/chat/JavaLive/2000/jl0404.html


HTH
 
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Why is the firewall an issue? If the Swing application is used by the travel agents, can't the travel agents' computers be inside the firewall? In this case, there would be no need for SSL between the travel agent's application and the app. server; also, the firewall would not be an issue.

Please respond to this.

Thanks in advance.

-Ravi
 
Yong How, Lim
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ravi,

What you said is true and possible only if ALL the travel agents are in same physical location. In real life situation, I do not think this scenario will ever happen, so making it as an assumption is not adviseable.


HTH
 
Along huang
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Lim, first, thank you for reply!

As far as know, a technique named tunnelling can solve the problem, which use http protocol and 80 port. But, one book I had looked recommend that people don't use this technique commonly as its terrible performance.

best regards
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Lim,

Thanks for the advice; it makes sense not to make that assumption.

Hi Along,

I don't know if tunneling is a good solution. Here's what Sun had to say about tunneling and I quote from "Sun Certified Enterprise Architect for J2EE Technology Study Guide" by Mark Cade and Simon Roberts, Section 5.9 Tunneling:

"Tunneling can be used to sneak past firewall restrictions either to get into a network or to get out of a network. Using tunneling to get out of a network might be a reasonable way to behave, but using it to get into a network usually suggests that someone doesn't understand his/her job."

What do you think? I too wonder how to solve the problem you mentioned.

Thanks for this discussion.

-Ravi
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Can someone respond whether tunneling is a good approach? For the Swing application, I guess there are only 2 solutions: 1) using Java webstart, or 2) accessing the EJBs via JNDI using tunneling and SSL.

Am I correct in this assumption?

Thanks very much.

-Ravi
 
Along huang
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,Ravi,

I had adopted Java Webstart framework in my past project, which use Swing + WebServer + AppServer + Database structure.

I found that it is very boring to use this framework, as client tier must communicate with web tier over Socket, it means that you have to modify some classes of Structs framework so that web tier can receive and send stream data to client tier, it result in losing the integrality of the Structs.

So, I don't enjoy this kind of architecture, I prefer to the two architecture as below:
1) thick client: Swing + AppServer(EJB) + Database (i.e. java webstart, it needs also to bypass firewall)
2) thin client: Browser(IE) + WebServer + AppServer + Database

How is your Java Webstart structure? it is like mine?

I never try the Tunnelling technique so I don't know the exact performance.
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Along,

I have only used Java webstart once in the past with a web server (its been a couple of years - I'm sorry I don't remember the configuration).


(i.e. java webstart, it needs also to bypass firewall)


Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?

Thank you and sorry for so many questions.

-Ravi
 
Along huang
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, Ravi,

Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?



Sure is, I perfer that client swing directly access EJB overleaping web tier, but the precondition is firewall don't become a barrier.

best regards
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Along,

Thanks for the helpful input. As for the firewall, couldn't we handle it by:

1. Assuming that most of the travel agents will be inside the firewall, and
2. The remote travel agents will have a static ip address. The firewall will let them in because it knows them by their ip address.

Thanks...the emails are helpful.

-Ravi
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Along,

One more question. Have you considered using the J2EE client container? I am reading up on it now.

-Ravi
 
Along huang
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ravi,

I am sorry, I don't understand what J2EE client container mean. or could you explain it?

best regards
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Along,

The client container is described in the url:
Client Container Info

Let me know what you think. From what I read it can handle SSL. The authentication handling is not clear to me at this point.

-Ravi
 
Ravi Dhanum
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Along,

I am sorry, client container doesn't handle SSL because it is IIOP.
-Ravi
 
Can you really tell me that we aren't dealing with suspicious baked goods? And then there is this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic