Java vs. firewall: how to let Java applications have their own set of rules
Let's say I have coded a Java application that requires Internet access. Usually the firewall pops up and asks whether or not this is OK. Now I have the options to generally allow Internet access or use specific rules. Since I only check a web service I'd set a rule that restricts access to exactly that server at some port.
Now I have Java application #2 that also requires Internet access. If I decided to give application #1 full access then #2 also has full access. For the solution with the rule set above I'd need to add another rule or just give up and grant full access and, therefore, also give application #1 full access.
I guess you can see what my problem is. A while ago I ran into the same situation and I tried one or two wrappers that convert a JAR into an executable. I noticed that in the end they simply launched the JVM causing the usual Java binary to open the Internet connection.
So my question is: which options do I have to allow a user to specify different firewall rules for each Java application?
EDIT: after reading the first comment I'd like to make clear that 开发者_运维百科I'm not thinking about how to configure the firewall, but rather have some way that Java applications themselves have a more or less unique way of identifying themselves or have another way of handling network access.
When you require is more fine grained access. Why not author a policy file and allow the security manager to govern the SocketPermissions
that are allotted to your program?
http://download.oracle.com/javase/7/docs/technotes/guides/security/permissions.html.
Example below.
grant signedBy "paul" {
permission java.net.SocketPermission "localhost:1024-", "accept, connect, listen";
};
A firewall is like a semi-permeable membrane, allowing outbound but not inbound connections:
|
Outside world <===== | ====== Your computer
|
Firewall [OK]
|
Outside world ====== X =====> Your computer
|
Firewall [Disallowed]
One thing that you can do to get around this is to setup a proxy that is outside of the firewall that accepts inbound connections from the outside world, as well as inbound connections from your "real" server. The proxy can route the external requests to one of the inbound sockets from one of the servers:
|
Outside world ===> [Proxy] <===== | ====== Your computer
|
Firewall [OK]
That said, without knowing your exact situation, this might not be the best design choice. For example, you might be doing something that does not really require running a server, or maybe you really do want to be running a server, but maybe should be running one on cloud computing infrastructure. It is hard to recommend an actual design without additional details as to what you wish to accomplish.
Simple silly way around this. Copy and rename java.exe to different names.
If you have two apps rename java[w].exe to:
MyApp.exe
MyApp2.exe
then you can put specific rules in your firewall based on executable.
Ship your jvm with your product and write a script to launch it and set the necessary variables for it to function independent of any other jvm on the system.
I.e Classpath /app/launch/java -jar jar.file
This way only your version of java is launched.
精彩评论