For example, suppose that a firewall has been installed that allows only HTTP connections to any server, and that an RMI server is behind the firewall. A client attempting to communicate with the server will need to use a different connection strategy depending on whether it is behind the firewall e.g., located inside the intranet or outside the firewall e.g., located somewhere on the Internet. If the client is inside the firewall, then the first connection strategy direct JRMP is available and makes sense. If the client is outside the firewall, however, there are two options, depending on the details of the firewall policy. If the firewall allows HTTP connections on any port and doesnt insist that HTTP traffic flow through port 80, then the second option of sending HTTP information directly to the port on which the server listens is most efficient. However, if the firewall insists that all HTTP traffic be sent to port 80, then the fourth option is the only one that will work. Topological Assumptions In most of this chapter, were assuming that the server is behind a firewall and that the primary question is whether or not the client is behind the same firewall. That is: • Theres a firewall preventing outside applications from talking directly to the server. • The client may or may not be an outside application. However, sometimes the client is behind a firewall that prevent s it from connecting to the server because the client cannot connect to any outside server other than a proxy server for the Web. HTTP tunneling also works in this second case. The fundamental fact is that JRMP connections wont work, and RMI will have to resort to tunneling. The owner of the firewall, and whether its there to prevent the computer running the client application from calling out or to prevent unauthorized access to a server, is irrelevant when a client attempts to connect to a server. Client-side firewalls are different from server-side firewalls in one important respect, however. Server-side firewalls often dont block callbacks; their goal is to prevent unauthorized access to a server, not to prevent the server from connecting to other machines. Client-side firewalls, on the other hand, almost always block callbacks. Any machine that isnt allowed to make any connections without going through a proxy server is usually not allowed to accept connections either. This forces you to rewrite code that relies on server-side callbacks to instead use client-side polling.

22.3.1.1 Naming services and the server machine

Consider the previous five communications options. An important and frequently overlooked point is that the server machine in the fifth option is an abstraction; it does not have to be the machine on which the actual server object runs. Instead, its simply a machine name stored in the stub. This name is generated whenever a stub is created from a server. The algorithm is: • If it is defined, use the value of the java.rmi.server.hostname property. • Otherwise, use the IP address in dotted quad format of the machine on which the server runs. This extra level of indirection allows HTTP tunneling to be implemented flexibly. For example, suppose a firewall restricted all incoming connections to be HTTP connections, on port 80, of a specific web server. If we put our naming service outside the firewall, and set the value of java.rmi.server.hostname to be the name of the web server, then the fourth option will be used. That is, RMI will attempt to send messages to our servers by invoking a URL beginning with cgi-binjava-rmi.cgi. Dealing with Network Address Translation java.rmi.server.hostname can also be a very useful property when dealing with firewalls that perform Network Address Translation NAT. When a server is behind such a firewall, it can have two symbolic names™the internal name used by machines behind the firewall and the external name used by machines outsid e the firewall. Stubs in RMI use symbolic names not IP addresses. That is, when the stub is serialized and sent over the wire, names such as ftp.oreilly.com are sent instead of IP addresses such as 63.80.158.1. In order for the client to be able to connect to the server, the correct name must be included with the stub. This can be easily accomplished by setting java.rmi.server.hostname to the correct value. This does not force the RMI server to run on the same machine as the web server. It simply means that we need to write a servlet class [ 6] that can perform the final step in redirecting the RMI request and then configure the web server to send all requests with appropriate URLs to our servlet. [ 6] Or a CGI script. Servlets are usually a better idea, but theres nothing preventing you from writing this final redirection step in Perl. The resulting architecture resembles the diagram shown in Figur e 22- 4 . The numbers show the flow of the messages, from 1 to 11. Figure 22-4. The entire flow

22.4 A Servlet Implementationof HTTP Tunneling