File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Sockets and Internet Protocols and the fly likes SocketPermission, Remote Port? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "SocketPermission, Remote Port?" Watch "SocketPermission, Remote Port?" New topic
Author

SocketPermission, Remote Port?

Douglas Rapp
Greenhorn

Joined: Nov 29, 2011
Posts: 11
Hi,

We have been developing a web application that gets deployed in Tomcat 6, using Java 6 Update 31. We had a requirement to develop a module that would listen for some simple TCP traffic on port x and then do some processing. Everything was working great until we went to enable the security manager, at which point we started getting some "AccessControlExceptions". That was to be expected, I thought... Tomcat's "catalina.policy" file was not configured to permit this behavior.

So, without thinking, I went into that policy file and added a "grant" field for this.. specifically:

(where 54321 was the port I was listening on).

Then, I tried it again, but once again was faced with the same "AccessControlException" errors! Looking closer at the stack traces, I noticed the following:



Why was it saying port 1527?? The IP was correct - that's the address of the machine connecting to my webapp. I then double-checked the client appilcation to make sure it was configured to connect on 54321. It definitely was. However, I suspected some foul play...

So, I removed the security manager so that it could all run properly. Then, I added a little logging piece to my webapp that would spit out information on these TCP connections. Sure enough, I verified that I was accepting connections on port 54321 (or whatever port I cared to configure it to be), but that the remote port (the port being used by the client app) was different each time.

Then, I added the security manager back in and noticed that each time I tried to run it, I was getting that AccessControlException, each time with a different port!!

Finally, to try it out, I modified my policy file to use "*:*" instead of "*:54321". Voila, it worked perfectly. Unfortunately, I was providing permission for all ports...

So, my question is... why on Earth would I have to specify the remote port in the catalina.policy file? How does that give me any kind of control over my server's security?

Thanks,
Doug
Douglas Rapp
Greenhorn

Joined: Nov 29, 2011
Posts: 11
Anyone have any experience or advice here?
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Douglas Rapp wrote:I then double-checked the client appilcation to make sure it was configured to connect on 54321. It definitely was. However, I suspected some foul play...

So, I removed the security manager so that it could all run properly. Then, I added a little logging piece to my webapp that would spit out information on these TCP connections. Sure enough, I verified that I was accepting connections on port 54321 (or whatever port I cared to configure it to be), but that the remote port (the port being used by the client app) was different each time.


That's totally expected. A TCP connection consists of 4 values: address1, port1, address2, port2.

If host X connects to port 80 on host Y, the normal approach on the X side is to let the OS assign the local port arbitrarily. So for consecutive connections from X to Y, you're likely to see something like:



In short, you can't predict the port on the client's end of the connection.

Now, I know nothing about how, or even if, this relates to your SecurityManager issues, but if the host in the error message is the client, then it seems that you need to "allow this client (or these clients or any client) to connect to my port 54321 from any client port".
Douglas Rapp
Greenhorn

Joined: Nov 29, 2011
Posts: 11
Ok, that's my understanding - that the local port for outgoing connections is arbitrary/random. So that makes sense that the client port as seen by my application is changing each time.

So what do I need to do in my policy file (for the security manager) to allow my application to accept connections on ANY host, on ANY client-side port, over server port 54321? It was my understanding that the permission line that I provided before accomplished this:



But apparently, I am mistaken.

Thanks for the help!
Doug

Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Douglas Rapp wrote:
So what do I need to do in my policy file (for the security manager) to allow my application to accept connections on ANY host, on ANY client-side port, over server port 54321? It was my understanding that the permission line that I provided before accomplished this:





That I don't know about. The evidence here suggests that either a) What you're specifying there is the remote port, so you'd have to specify "*" or something, or b) What you're specifying there may indeed be the local port, but then there's apparently some other means to specify "any remote port". I'm not familiar with the details of the policy file, but this may hold some clues:

https://www.google.com/search?q=java+policy+file+remote+port --> http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html --> http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appB.html --> (http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appB.html#servsoc , http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appB.html#socket)
Douglas Rapp
Greenhorn

Joined: Nov 29, 2011
Posts: 11
Jeff Verdegan wrote:
That I don't know about. The evidence here suggests that either a) What you're specifying there is the remote port, so you'd have to specify "*" or something, or b) What you're specifying there may indeed be the local port, but then there's apparently some other means to specify "any remote port". I'm not familiar with the details of the policy file, but this may hold some clues:

https://www.google.com/search?q=java+policy+file+remote+port --> http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html --> http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appB.html --> (http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appB.html#servsoc , http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appB.html#socket)


Ok, thanks! I will take a look at those links.
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Douglas, please BeForthrightWhenCrossPostingToOtherSites(⇐click) so folks don't waste their time repeating each others' answers: https://forums.oracle.com/forums/thread.jspa?threadID=2380009&tstart=0

Thanks!
Douglas Rapp
Greenhorn

Joined: Nov 29, 2011
Posts: 11
Definitely. I cross post in order to gain the largest audience possible for something that appears to be an obscure-ish issue. It is definitely not a waste for two people to offer different viewpoints on the issue. And it's certainly not a waste by any means for one person to validate another's answer.

In order to be forthright about it, this question has been posted to two other locations (and I'll make sure to be upfront about it if it happens again in the future):
https://forums.oracle.com/forums/thread.jspa?threadID=2380009
http://stackoverflow.com/questions/10302394/socketpermission-client-port

Whatever solution(s) is/are ultimately found, I'll be sure to point to it/them for each forum.

Thanks,
Doug
Jeff Verdegan
Bartender

Joined: Jan 03, 2004
Posts: 6109
    
    6

Douglas Rapp wrote:And it's certainly not a waste by any means for one person to validate another's answer.


You may not think so, but it's my time, and I consider it wasted if I post on one site only because I didn't know somebody else had already said the same thing elsewhere.

In order to be forthright about it, this question has been posted to two other locations (and I'll make sure to be upfront about it if it happens again in the future):
https://forums.oracle.com/forums/thread.jspa?threadID=2380009
http://stackoverflow.com/questions/10302394/socketpermission-client-port

Whatever solution(s) is/are ultimately found, I'll be sure to point to it/them for each forum.


Thanks. We appreciate the courtesy. And good luck with it!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SocketPermission, Remote Port?