Can RMI bypass firewall?

I am designing an architechure for customer, which has a lot of interacting operations, so I think of using JavaWebStart which client directly access EJB components over RMI/JRMP.

But, between the client and the app server here is a firewall, then a doubt arise, if RMI/JRMP can bypass firewall? if can, how do I do?

Hi Along,

It depends on the Security Policy of the Firewall, whether it is restrictive access from the outside to the inside or vice-versa or both.

If the RMI clients is behind a firewall that has no restriction on outgoing packets (only restricting incoming packets), then it is ok, if not then you have a big problem.

Basically, RMI using a initial default port of 1099,
but the client may have other random ports for each connections.

Take a look at a page that I have found, it has some useful information on protocols/ports :
http://wiki.java.net/bin/view/People/WillieSCEAProtocol

HTH

Thank you for reply!

To such system, it is obvious to choose thick client, and here are two solutions below,
1. three tirs architecture: client + EJB + database
2. four tirs architeture: client + web + EJB + database

the problem is that I can't make decition of choosing 1 or 2, as they have their own advantage respectively.

to 1, it is efficient and simple, but encountering the firewall,
to 2, it use socket to connect web server, so it can't keep the state of session, therefore, all span-operation state have to be save in client. Furthermore, it is make the client and web server complex.

best regards

If you can convince the Firewall administrator to change the Firewall policy... then solution 1 is a preferred choice.

I do not advise on solution 2, unless you need to support additional web-based clients.

Alternatively, you can consider to use RMI Tunneling,
that could get you past the Firewall using normal HTTP ports.

I have not tried it myself, but I believe it should work.
I have done a quick google and found a brief discussion on RMI Tunneling on Sun website, but no detail on implementation :
http://java.sun.com/developer/community/chat/JavaLive/2000/jl0404.html


HTH

Hello,

Why is the firewall an issue? If the Swing application is used by the travel agents, can't the travel agents' computers be inside the firewall? In this case, there would be no need for SSL between the travel agent's application and the app. server; also, the firewall would not be an issue.

Please respond to this.

Thanks in advance.

-Ravi

Hi Ravi,

What you said is true and possible only if ALL the travel agents are in same physical location. In real life situation, I do not think this scenario will ever happen, so making it as an assumption is not adviseable.


HTH

hi Lim, first, thank you for reply!

As far as know, a technique named tunnelling can solve the problem, which use http protocol and 80 port. But, one book I had looked recommend that people don't use this technique commonly as its terrible performance.

best regards

Hi Lim,

Thanks for the advice; it makes sense not to make that assumption.

Hi Along,

I don't know if tunneling is a good solution. Here's what Sun had to say about tunneling and I quote from "Sun Certified Enterprise Architect for J2EE Technology Study Guide" by Mark Cade and Simon Roberts, Section 5.9 Tunneling:

"Tunneling can be used to sneak past firewall restrictions either to get into a network or to get out of a network. Using tunneling to get out of a network might be a reasonable way to behave, but using it to get into a network usually suggests that someone doesn't understand his/her job."

What do you think? I too wonder how to solve the problem you mentioned.

Thanks for this discussion.

-Ravi

Hello,

Can someone respond whether tunneling is a good approach? For the Swing application, I guess there are only 2 solutions: 1) using Java webstart, or 2) accessing the EJBs via JNDI using tunneling and SSL.

Am I correct in this assumption?

Thanks very much.

-Ravi

hi,Ravi,

I had adopted Java Webstart framework in my past project, which use Swing + WebServer + AppServer + Database structure.

I found that it is very boring to use this framework, as client tier must communicate with web tier over Socket, it means that you have to modify some classes of Structs framework so that web tier can receive and send stream data to client tier, it result in losing the integrality of the Structs.

So, I don't enjoy this kind of architecture, I prefer to the two architecture as below:
1) thick client: Swing + AppServer(EJB) + Database (i.e. java webstart, it needs also to bypass firewall)
2) thin client: Browser(IE) + WebServer + AppServer + Database

How is your Java Webstart structure? it is like mine?

I never try the Tunnelling technique so I don't know the exact performance.

Hello Along,

I have only used Java webstart once in the past with a web server (its been a couple of years - I'm sorry I don't remember the configuration).

(i.e. java webstart, it needs also to bypass firewall)

Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?

Thank you and sorry for so many questions.

-Ravi

Hi, Ravi,

Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?

Sure is, I perfer that client swing directly access EJB overleaping web tier, but the precondition is firewall don't become a barrier.

best regards

Along,

Thanks for the helpful input. As for the firewall, couldn't we handle it by:

1. Assuming that most of the travel agents will be inside the firewall, and
2. The remote travel agents will have a static ip address. The firewall will let them in because it knows them by their ip address.

Thanks...the emails are helpful.

-Ravi

Along,

One more question. Have you considered using the J2EE client container? I am reading up on it now.

-Ravi

Ravi,

I am sorry, I don't understand what J2EE client container mean. or could you explain it?

best regards

Along,

The client container is described in the url:
Client Container Info

Let me know what you think. From what I read it can handle SSL. The authentication handling is not clear to me at this point.

-Ravi

Along,

I am sorry, client container doesn't handle SSL because it is IIOP.
-Ravi