Meaningless Drivel is fun!*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Can RMI bypass firewall? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Can RMI bypass firewall?" Watch "Can RMI bypass firewall?" New topic
Author

Can RMI bypass firewall?

Along huang
Ranch Hand

Joined: Feb 09, 2004
Posts: 72
I am designing an architechure for customer, which has a lot of interacting operations, so I think of using JavaWebStart which client directly access EJB components over RMI/JRMP.

But, between the client and the app server here is a firewall, then a doubt arise, if RMI/JRMP can bypass firewall? if can, how do I do?


SCJP1.4 SCJD 2<br />SCEA(In progressing)
Yong How, Lim
Ranch Hand

Joined: Feb 22, 2005
Posts: 52
Hi Along,

It depends on the Security Policy of the Firewall, whether it is restrictive access from the outside to the inside or vice-versa or both.

If the RMI clients is behind a firewall that has no restriction on outgoing packets (only restricting incoming packets), then it is ok, if not then you have a big problem.

Basically, RMI using a initial default port of 1099,
but the client may have other random ports for each connections.

Take a look at a page that I have found, it has some useful information on protocols/ports :
http://wiki.java.net/bin/view/People/WillieSCEAProtocol

HTH


Regards,<br /> Yong How, Lim<br /> SCEA, SCBCD, SCWCD, SCJD, SCJP, LPIC-1
Along huang
Ranch Hand

Joined: Feb 09, 2004
Posts: 72
Thank you for reply!

To such system, it is obvious to choose thick client, and here are two solutions below,
1. three tirs architecture: client + EJB + database
2. four tirs architeture: client + web + EJB + database

the problem is that I can't make decition of choosing 1 or 2, as they have their own advantage respectively.

to 1, it is efficient and simple, but encountering the firewall,
to 2, it use socket to connect web server, so it can't keep the state of session, therefore, all span-operation state have to be save in client. Furthermore, it is make the client and web server complex.

best regards
Yong How, Lim
Ranch Hand

Joined: Feb 22, 2005
Posts: 52
If you can convince the Firewall administrator to change the Firewall policy... then solution 1 is a preferred choice.

I do not advise on solution 2, unless you need to support additional web-based clients.

Alternatively, you can consider to use RMI Tunneling,
that could get you past the Firewall using normal HTTP ports.

I have not tried it myself, but I believe it should work.
I have done a quick google and found a brief discussion on RMI Tunneling on Sun website, but no detail on implementation :
http://java.sun.com/developer/community/chat/JavaLive/2000/jl0404.html


HTH
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Hello,

Why is the firewall an issue? If the Swing application is used by the travel agents, can't the travel agents' computers be inside the firewall? In this case, there would be no need for SSL between the travel agent's application and the app. server; also, the firewall would not be an issue.

Please respond to this.

Thanks in advance.

-Ravi
Yong How, Lim
Ranch Hand

Joined: Feb 22, 2005
Posts: 52
Hi Ravi,

What you said is true and possible only if ALL the travel agents are in same physical location. In real life situation, I do not think this scenario will ever happen, so making it as an assumption is not adviseable.


HTH
Along huang
Ranch Hand

Joined: Feb 09, 2004
Posts: 72
hi Lim, first, thank you for reply!

As far as know, a technique named tunnelling can solve the problem, which use http protocol and 80 port. But, one book I had looked recommend that people don't use this technique commonly as its terrible performance.

best regards
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Hi Lim,

Thanks for the advice; it makes sense not to make that assumption.

Hi Along,

I don't know if tunneling is a good solution. Here's what Sun had to say about tunneling and I quote from "Sun Certified Enterprise Architect for J2EE Technology Study Guide" by Mark Cade and Simon Roberts, Section 5.9 Tunneling:

"Tunneling can be used to sneak past firewall restrictions either to get into a network or to get out of a network. Using tunneling to get out of a network might be a reasonable way to behave, but using it to get into a network usually suggests that someone doesn't understand his/her job."

What do you think? I too wonder how to solve the problem you mentioned.

Thanks for this discussion.

-Ravi
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Hello,

Can someone respond whether tunneling is a good approach? For the Swing application, I guess there are only 2 solutions: 1) using Java webstart, or 2) accessing the EJBs via JNDI using tunneling and SSL.

Am I correct in this assumption?

Thanks very much.

-Ravi
Along huang
Ranch Hand

Joined: Feb 09, 2004
Posts: 72
hi,Ravi,

I had adopted Java Webstart framework in my past project, which use Swing + WebServer + AppServer + Database structure.

I found that it is very boring to use this framework, as client tier must communicate with web tier over Socket, it means that you have to modify some classes of Structs framework so that web tier can receive and send stream data to client tier, it result in losing the integrality of the Structs.

So, I don't enjoy this kind of architecture, I prefer to the two architecture as below:
1) thick client: Swing + AppServer(EJB) + Database (i.e. java webstart, it needs also to bypass firewall)
2) thin client: Browser(IE) + WebServer + AppServer + Database

How is your Java Webstart structure? it is like mine?

I never try the Tunnelling technique so I don't know the exact performance.
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Hello Along,

I have only used Java webstart once in the past with a web server (its been a couple of years - I'm sorry I don't remember the configuration).

(i.e. java webstart, it needs also to bypass firewall)

Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?

Thank you and sorry for so many questions.

-Ravi
Along huang
Ranch Hand

Joined: Feb 09, 2004
Posts: 72
Hi, Ravi,

Does this mean you planning on using Java webstart to connect the EJB container and the Swing application?


Sure is, I perfer that client swing directly access EJB overleaping web tier, but the precondition is firewall don't become a barrier.

best regards
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Along,

Thanks for the helpful input. As for the firewall, couldn't we handle it by:

1. Assuming that most of the travel agents will be inside the firewall, and
2. The remote travel agents will have a static ip address. The firewall will let them in because it knows them by their ip address.

Thanks...the emails are helpful.

-Ravi
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Along,

One more question. Have you considered using the J2EE client container? I am reading up on it now.

-Ravi
Along huang
Ranch Hand

Joined: Feb 09, 2004
Posts: 72
Ravi,

I am sorry, I don't understand what J2EE client container mean. or could you explain it?

best regards
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Along,

The client container is described in the url:
Client Container Info

Let me know what you think. From what I read it can handle SSL. The authentication handling is not clear to me at this point.

-Ravi
Ravi Dhanum
Ranch Hand

Joined: Feb 27, 2005
Posts: 46
Along,

I am sorry, client container doesn't handle SSL because it is IIOP.
-Ravi
 
Don't get me started about those stupid light bulbs.
 
subject: Can RMI bypass firewall?
 
Similar Threads
Can you use RMI-IIOP in VPN?
Firewall Architecture in System
RMI over JRMP
RMI Implementation
Question about JNI and RMI-IIOP