Java vs. 防火墙:如何让 Java 应用程序拥有自己的一套规则
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6592060/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java vs. firewall: how to let Java applications have their own set of rules
提问by sjngm
Let's say I have coded a Java application that requires Internet access. Usually the firewall pops up and asks whether or not this is OK. Now I have the options to generally allow Internet access or use specific rules. Since I only check a web service I'd set a rule that restricts access to exactly that server at some port.
假设我编写了一个需要访问 Internet 的 Java 应用程序。通常防火墙会弹出并询问是否可以。现在我可以选择一般允许 Internet 访问或使用特定规则。因为我只检查一个网络服务,所以我会设置一个规则,限制在某个端口访问该服务器。
Now I have Java application #2 that also requires Internet access. If I decided to give application #1 full access then #2 also has full access. For the solution with the rule set above I'd need to add another rule or just give up and grant full access and, therefore, also give application #1 full access.
现在我有 Java 应用程序 #2,它也需要 Internet 访问。如果我决定给应用程序#1 完全访问权限,那么#2 也有完全访问权限。对于具有上述规则集的解决方案,我需要添加另一条规则,或者只是放弃并授予完全访问权限,因此也授予应用程序 #1 完全访问权限。
I guess you can see what my problem is. A while ago I ran into the same situation and I tried one or two wrappers that convert a JAR into an executable. I noticed that in the end they simply launched the JVM causing the usual Java binary to open the Internet connection.
我想你可以看到我的问题是什么。不久前,我遇到了同样的情况,我尝试了一两个将 JAR 转换为可执行文件的包装器。我注意到最后他们只是启动了 JVM,导致通常的 Java 二进制文件打开 Internet 连接。
So my question is: which options do I have to allow a user to specify different firewall rules for each Java application?
所以我的问题是:我必须使用哪些选项来允许用户为每个 Java 应用程序指定不同的防火墙规则?
EDIT: after reading the first comment I'd like to make clear that I'm not thinking about how to configure the firewall, but rather have some way that Java applications themselves have a more or less unique way of identifying themselves or have another way of handling network access.
编辑:在阅读第一条评论后,我想明确表示我不是在考虑如何配置防火墙,而是在考虑让 Java 应用程序本身或多或少有一种独特的方式来识别自己或有另一种方式处理网络访问。
采纳答案by Deepak Bala
When you require is more fine grained access. Why not author a policy file and allow the security manager to govern the SocketPermissionsthat are allotted to your program?
当您需要更细粒度的访问时。为什么不创作一个策略文件并允许安全管理器管理SocketPermissions分配给您的程序的文件?
http://download.oracle.com/javase/7/docs/technotes/guides/security/permissions.html.
http://download.oracle.com/javase/7/docs/technotes/guides/security/permissions.html。
Example below.
下面举例。
grant signedBy "paul" {
permission java.net.SocketPermission "localhost:1024-", "accept, connect, listen";
};
回答by Michael Aaron Safyan
A firewall is like a semi-permeable membrane, allowing outbound but not inbound connections:
防火墙就像一个半透膜,允许出站但不允许入站连接:
|
Outside world <===== | ====== Your computer
|
Firewall [OK]
|
Outside world ====== X =====> Your computer
|
Firewall [Disallowed]
One thing that you can do to get around this is to setup a proxy that is outside of the firewall that accepts inbound connections from the outside world, as well as inbound connections from your "real" server. The proxy can route the external requests to one of the inbound sockets from one of the servers:
您可以做的一件事是在防火墙之外设置一个代理,该代理接受来自外部世界的入站连接以及来自“真实”服务器的入站连接。代理可以将外部请求路由到来自其中一台服务器的入站套接字之一:
|
Outside world ===> [Proxy] <===== | ====== Your computer
|
Firewall [OK]
That said, without knowing your exact situation, this might not be the best design choice. For example, you might be doing something that does not really require running a server, or maybe you really do want to be running a server, but maybe should be running one on cloud computing infrastructure. It is hard to recommend an actual design without additional details as to what you wish to accomplish.
也就是说,在不知道您的确切情况的情况下,这可能不是最佳设计选择。例如,您可能正在做一些并不真正需要运行服务器的事情,或者您可能确实想要运行服务器,但可能应该在云计算基础架构上运行。如果没有关于您希望完成什么的额外细节,很难推荐一个实际的设计。
回答by Andrew T Finnell
Simple silly way around this. Copy and rename java.exe to different names.
解决这个问题的简单愚蠢的方法。将 java.exe 复制并重命名为不同的名称。
If you have two apps rename java[w].exe to:
如果您有两个应用程序,将 java[w].exe 重命名为:
MyApp.exe
我的应用程序
MyApp2.exe
MyApp2.exe
then you can put specific rules in your firewall based on executable.
然后您可以根据可执行文件在防火墙中放置特定规则。
回答by Kristen Gillard
Ship your jvm with your product and write a script to launch it and set the necessary variables for it to function independent of any other jvm on the system.
将您的 jvm 与您的产品一起交付,并编写一个脚本来启动它并设置必要的变量,使其独立于系统上的任何其他 jvm 运行。
I.e Classpath /app/launch/java -jar jar.file
即类路径 /app/launch/java -jar jar.file
This way only your version of java is launched.
这样只会启动您的 Java 版本。
