Can RMI bypass firewall?
Along huang
Ranch Hand
Posts: 72
posted 12 years ago
I am designing an architechure for customer, which has a lot of interacting operations, so I think of using JavaWebStart which client directly access EJB components over RMI/JRMP.
But, between the client and the app server here is a firewall, then a doubt arise, if RMI/JRMP can bypass firewall? if can, how do I do?
But, between the client and the app server here is a firewall, then a doubt arise, if RMI/JRMP can bypass firewall? if can, how do I do?
SCJP1.4 SCJD 2<br />SCEA(In progressing)
Yong How, Lim
Ranch Hand
Posts: 52
posted 12 years ago
Hi Along,
It depends on the Security Policy of the Firewall, whether it is restrictive access from the outside to the inside or vice-versa or both.
If the RMI clients is behind a firewall that has no restriction on outgoing packets (only restricting incoming packets), then it is ok, if not then you have a big problem.
Basically, RMI using a initial default port of 1099,
but the client may have other random ports for each connections.
Take a look at a page that I have found, it has some useful information on protocols/ports :
http://wiki.java.net/bin/view/People/WillieSCEAProtocol
HTH
It depends on the Security Policy of the Firewall, whether it is restrictive access from the outside to the inside or vice-versa or both.
If the RMI clients is behind a firewall that has no restriction on outgoing packets (only restricting incoming packets), then it is ok, if not then you have a big problem.
Basically, RMI using a initial default port of 1099,
but the client may have other random ports for each connections.
Take a look at a page that I have found, it has some useful information on protocols/ports :
http://wiki.java.net/bin/view/People/WillieSCEAProtocol
HTH
Regards,<br /> Yong How, Lim<br /> SCEA, SCBCD, SCWCD, SCJD, SCJP, LPIC-1
Along huang
Ranch Hand
Posts: 72
posted 12 years ago
Thank you for reply!
To such system, it is obvious to choose thick client, and here are two solutions below,
1. three tirs architecture: client + EJB + database
2. four tirs architeture: client + web + EJB + database
the problem is that I can't make decition of choosing 1 or 2, as they have their own advantage respectively.
to 1, it is efficient and simple, but encountering the firewall,
to 2, it use socket to connect web server, so it can't keep the state of session, therefore, all span-operation state have to be save in client. Furthermore, it is make the client and web server complex.
best regards
To such system, it is obvious to choose thick client, and here are two solutions below,
1. three tirs architecture: client + EJB + database
2. four tirs architeture: client + web + EJB + database
the problem is that I can't make decition of choosing 1 or 2, as they have their own advantage respectively.
to 1, it is efficient and simple, but encountering the firewall,
to 2, it use socket to connect web server, so it can't keep the state of session, therefore, all span-operation state have to be save in client. Furthermore, it is make the client and web server complex.
best regards
SCJP1.4 SCJD 2<br />SCEA(In progressing)
Yong How, Lim
Ranch Hand
Posts: 52
posted 12 years ago
If you can convince the Firewall administrator to change the Firewall policy... then solution 1 is a preferred choice.
I do not advise on solution 2, unless you need to support additional web-based clients.
Alternatively, you can consider to use RMI Tunneling,
that could get you past the Firewall using normal HTTP ports.
I have not tried it myself, but I believe it should work.
I have done a quick google and found a brief discussion on RMI Tunneling on Sun website, but no detail on implementation :
http://java.sun.com/developer/community/chat/JavaLive/2000/jl0404.html
HTH
I do not advise on solution 2, unless you need to support additional web-based clients.
Alternatively, you can consider to use RMI Tunneling,
that could get you past the Firewall using normal HTTP ports.
I have not tried it myself, but I believe it should work.
I have done a quick google and found a brief discussion on RMI Tunneling on Sun website, but no detail on implementation :
http://java.sun.com/developer/community/chat/JavaLive/2000/jl0404.html
HTH
Regards,<br /> Yong How, Lim<br /> SCEA, SCBCD, SCWCD, SCJD, SCJP, LPIC-1
Ravi Dhanum
Ranch Hand
Posts: 46
posted 12 years ago
Hello,
Why is the firewall an issue? If the Swing application is used by the travel agents, can't the travel agents' computers be inside the firewall? In this case, there would be no need for SSL between the travel agent's application and the app. server; also, the firewall would not be an issue.
Please respond to this.
Thanks in advance.
-Ravi
Why is the firewall an issue? If the Swing application is used by the travel agents, can't the travel agents' computers be inside the firewall? In this case, there would be no need for SSL between the travel agent's application and the app. server; also, the firewall would not be an issue.
Please respond to this.
Thanks in advance.
-Ravi
Yong How, Lim
Ranch Hand
Posts: 52
posted 12 years ago
Hi Ravi,
What you said is true and possible only if ALL the travel agents are in same physical location. In real life situation, I do not think this scenario will ever happen, so making it as an assumption is not adviseable.
HTH
What you said is true and possible only if ALL the travel agents are in same physical location. In real life situation, I do not think this scenario will ever happen, so making it as an assumption is not adviseable.
HTH
Regards,<br /> Yong How, Lim<br /> SCEA, SCBCD, SCWCD, SCJD, SCJP, LPIC-1
Along huang
Ranch Hand
Posts: 72
posted 12 years ago
hi Lim, first, thank you for reply!
As far as know, a technique named tunnelling can solve the problem, which use http protocol and 80 port. But, one book I had looked recommend that people don't use this technique commonly as its terrible performance.
best regards
As far as know, a technique named tunnelling can solve the problem, which use http protocol and 80 port. But, one book I had looked recommend that people don't use this technique commonly as its terrible performance.
best regards
SCJP1.4 SCJD 2<br />SCEA(In progressing)
Ravi Dhanum
Ranch Hand
Posts: 46
posted 12 years ago
Hi Lim,
Thanks for the advice; it makes sense not to make that assumption.
Hi Along,
I don't know if tunneling is a good solution. Here's what Sun had to say about tunneling and I quote from "Sun Certified Enterprise Architect for J2EE Technology Study Guide" by Mark Cade and Simon Roberts, Section 5.9 Tunneling:
"Tunneling can be used to sneak past firewall restrictions either to get into a network or to get out of a network. Using tunneling to get out of a network might be a reasonable way to behave, but using it to get into a network usually suggests that someone doesn't understand his/her job."
What do you think? I too wonder how to solve the problem you mentioned.
Thanks for this discussion.
-Ravi
Thanks for the advice; it makes sense not to make that assumption.
Hi Along,
I don't know if tunneling is a good solution. Here's what Sun had to say about tunneling and I quote from "Sun Certified Enterprise Architect for J2EE Technology Study Guide" by Mark Cade and Simon Roberts, Section 5.9 Tunneling:
"Tunneling can be used to sneak past firewall restrictions either to get into a network or to get out of a network. Using tunneling to get out of a network might be a reasonable way to behave, but using it to get into a network usually suggests that someone doesn't understand his/her job."
What do you think? I too wonder how to solve the problem you mentioned.
Thanks for this discussion.
-Ravi
Ravi Dhanum
Ranch Hand
Posts: 46
Along huang
Ranch Hand
Posts: 72
posted 12 years ago
hi,Ravi,
I had adopted Java Webstart framework in my past project, which use Swing + WebServer + AppServer + Database structure.
I found that it is very boring to use this framework, as client tier must communicate with web tier over Socket, it means that you have to modify some classes of Structs framework so that web tier can receive and send stream data to client tier, it result in losing the integrality of the Structs.
So, I don't enjoy this kind of architecture, I prefer to the two architecture as below:
1) thick client: Swing + AppServer(EJB) + Database (i.e. java webstart, it needs also to bypass firewall)
2) thin client: Browser(IE) + WebServer + AppServer + Database
How is your Java Webstart structure? it is like mine?
I never try the Tunnelling technique so I don't know the exact performance.
I had adopted Java Webstart framework in my past project, which use Swing + WebServer + AppServer + Database structure.
I found that it is very boring to use this framework, as client tier must communicate with web tier over Socket, it means that you have to modify some classes of Structs framework so that web tier can receive and send stream data to client tier, it result in losing the integrality of the Structs.
So, I don't enjoy this kind of architecture, I prefer to the two architecture as below:
1) thick client: Swing + AppServer(EJB) + Database (i.e. java webstart, it needs also to bypass firewall)
2) thin client: Browser(IE) + WebServer + AppServer + Database
How is your Java Webstart structure? it is like mine?
I never try the Tunnelling technique so I don't know the exact performance.
SCJP1.4 SCJD 2<br />SCEA(In progressing)
Ravi Dhanum
Ranch Hand
Posts: 46
posted 12 years ago
Hello Along,
I have only used Java webstart once in the past with a web server (its been a couple of years - I'm sorry I don't remember the configuration).
Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?
Thank you and sorry for so many questions.
-Ravi
I have only used Java webstart once in the past with a web server (its been a couple of years - I'm sorry I don't remember the configuration).
(i.e. java webstart, it needs also to bypass firewall)
Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?
Thank you and sorry for so many questions.
-Ravi
Along huang
Ranch Hand
Posts: 72
posted 12 years ago
Hi, Ravi,
Sure is, I perfer that client swing directly access EJB overleaping web tier, but the precondition is firewall don't become a barrier.
best regards
Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?
Sure is, I perfer that client swing directly access EJB overleaping web tier, but the precondition is firewall don't become a barrier.
best regards
SCJP1.4 SCJD 2<br />SCEA(In progressing)
Ravi Dhanum
Ranch Hand
Posts: 46
posted 12 years ago
Along,
Thanks for the helpful input. As for the firewall, couldn't we handle it by:
1. Assuming that most of the travel agents will be inside the firewall, and
2. The remote travel agents will have a static ip address. The firewall will let them in because it knows them by their ip address.
Thanks...the emails are helpful.
-Ravi
Thanks for the helpful input. As for the firewall, couldn't we handle it by:
1. Assuming that most of the travel agents will be inside the firewall, and
2. The remote travel agents will have a static ip address. The firewall will let them in because it knows them by their ip address.
Thanks...the emails are helpful.
-Ravi
Ravi Dhanum
Ranch Hand
Posts: 46
Along huang
Ranch Hand
Posts: 72
Ravi Dhanum
Ranch Hand
Posts: 46
posted 12 years ago
Along,
The client container is described in the url:
Client Container Info
Let me know what you think. From what I read it can handle SSL. The authentication handling is not clear to me at this point.
-Ravi
The client container is described in the url:
Client Container Info
Let me know what you think. From what I read it can handle SSL. The authentication handling is not clear to me at this point.
-Ravi
| It is sorta covered in the JavaRanch Style Guide. |