Re: Java security question in server environment
Tom wrote:
Hello all,
I'm running a Java server using Sun's JRE using the following command:
javaw.exe -jar c:\PHP\ext/JavaBridge.jar INET_LOCAL:9384
I'm doing it this way instead of invoking Java from each apache instance
because I don't want to run multiple Java processes and have the resource
usage for each one.
I'm then using the php-java bridge to access the java server and call
functions via my php apps (mostly to access jasperreports).
Is there a better way without having communications to the java server sent
to a port via tcp/ip on the machine? Maybe direct interprocess
communication using pipes or the filesystem?
I'm concerned about this setup for publishing my server to the internet
(currently it's only on the intranet) because couldn't theoretically a
client machine directly call my java process on port 9384 and call java
classes on my server? Am I missing something?
Firstly, if you machine is connected directly to the Internet it should really
have a firewall. That firewall ought not to have port 9384 open. If it's
connected via a NAT router then port 9384 on your server won't be visible to
the Internet unless you explicitly map it with a static NAT entry.
Secondly, I would interpret INET_LOCAL:9384 as an interface:port, and INET_LOCAL
to mean the loopback interface so that the Java server can only be contacted by
processes on the local machine. Of course, since I don't know JavaBridge and
it's command line parameters I may be wrong. You should be able to determine
whether this is the case by looking to see what ports are open on what
interfaces. I'd expect that port 9384 is only open on the loopback interface.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555