|
||||||||||||||||||||||||||||||||
Java, as a network programming language, is fashionable all over the programmer world. With java.net Package, we can write easily many flexible applications which intercommunicate between client and server anywhere at any time. Of course, Java is too young and is still incomplete on many aspects. A lot of Java developers have disappointedly found out that their users can not run normally the Java applications or applets when their users are behind firewalls that do not allow direct stream or datagram socket connections. In this article, I will illustrate how to let your applications through expediently firewall by calling some extended socket classes which utilizing SOCKS or HTTP proxy at the transport layer since the services of SOCKS proxy and HTTP proxy are provided widely on proxy servers. |
||||||||||||||||||||||||||||||||
Overview
of Firewall/Proxy Architecture and Extendable Socket
Firewall is a security system intended to protect an intranet against external threats. It is used to limit the communicating directly between the internal network and the external world. A proxy server resides always behind the firewall to allow and relay some particular message communication between intranet clients and internet world. The schemas of SOCKS and HTTP are like these: Firewall will filter the traversed byte stream and transfer data according to its security policy. The socket stream in Java applications has to abide by the protocol standards for SOCKS and HTTP, otherwise firewall will refuse simply and discard ruthlessly the unrecognized requests from our applications.---------- --------- |-| ------------ | | SOCKS | SOCKS | |-| TCP/IP | | | Client | <----------> | Proxy | <--|-|----------> | Internet | | | Protocol | Server| |-| Protocols | | ---------- --------- |-| ------------ Firewall---------- --------- |-| ------------ | | HTTP | HTTP | |-| HTTP | | | Client | <----------> | Proxy | <--|-|----------> | Internet | | | Protocol | Server| |-| Protocol | | ---------- --------- |-| ------------ Firewall Although
JDK1.0 has allowed licensees to subclass java.net.SocketImpl for providing
added functionality of network transport and layering other protocols on
top of TCP, it's an annoying shortage of having a single type of SocketImpl
installed for a java runtime, which limits large-scale applications. Since
the java.net classes in JDK 1.1 have allowed sockets (DatagramSocket/Socket/ServerSocket)
to be non-final, extendable classes, we can happily write our own DatagramSocket,
Socket, SocketImpl and SocketImplFactory to extend Socket subclass which
can handle transparently the handshaking process with SOCKS or HTTP proxy
behind certain kinds of firewalls. If you are interested in complementing
and extending these extended socket subclasses to provide richer functionality
at the application layer, please also read carefully Networking
Guide after click here to download a zip file of source
code and its relative documents for this article.
Through Firewall
by SOCKS Proxy
//Specify
SOCKS proxy host in system properties
There are mainly three cumbersome limitations after enableing java.net package's SOCKS support. First, all stream sockets will always through the SOCKS server for a Java runtime although the stream socket connections on the inside should be sent direct and not through the firewall. Secondly, applications will always throw java.net.UnknownHostException if the client can not find the destination host's IP address notwithstanding the SOCKS server does can resolve the destination host's domain name. Thirdly, applications which are utilizing java.net.DatagramSocket will always fail in going through firewalls because datagram packet can not be relayed by SOCKS4 protocol. The only way to solve these three annoying problems is to construct some extended socket classes for SOCKS4A/SOCKS5 protocols, before the java.net package provides SOCKS4A/SOCKS5 support. SOCKS
4A protocol, a simple extension to SOCKS
4 protocol, is intended to allow the use of SOCKS 4 on hosts which
are not capable of resolving all domain names. SOCKS
5 protocol extends the SOCKS 4 model to include UDP(User
Datagram Protocol), and extends the framework to include provisions
for generalized strong authentication schemes, and extends the addressing
scheme to encompass domain name and V6 IP addresses. It's unnecessary for
Java programmers who need SOCKS4A/SOCKS5 support to learn at length how
SOCKS4A/SOCKS5 protocols work and how the SocksSocketImpl class, an extended
java.net.SocketImpl class, implements SOCKS4A and SOCKS5 supports. All
the three classes in the zyh.net package you care about are SocksSocket,
SocksDatagramSocket and SocksSocketImplFactory. The API of SocksSocket
and SocksDatagramSocket is nearly identical to those of java.net.Socket
and java.net.DatagramSocket. Java programmers should be able to modify
their Socket (or DatagramSocket) objects to SocksSocket (or SocksDatagramSocket)
objects no sweat. Just like this piece of code below.
Replace Socket socket = new Socket( host, port);With Socket socket = new zyh.net.SocksSocket( host, port);For DatagramSocket(For more help on using SocksDatagramSocket, see EchoClient.java and EchoServer.java) Replace DatagramSocket datagramSocket = new DatagramSocket();With DatagramSocket datagramSocket = new zyh.net.SocksDatagramSocket();If you wish to invoke the SOCKS4A/SOCKS5 support, you need to create a SocksSocketImplFactory factory once for a Java runtime. For Socket (For more help on using SocksSocket, see Example2.java or Example3.java) zyh.net.SocksSocketImplFactory factory = newFor DatagramSocket(For more help on using SocksDatagramSocket, see EchoClient.java and EchoServer.java) //set stream to false for datagram packet.If you wish to set some optional properties for SOCKS server, for instance, username and pasword for SOCKS5 server. Just use a piece of code like: //Used to keep some optional propertiesAs you can see, your applications will be portable across different environments which use SOCKS proxy or not, after modifing simply Socket (or DatagramSocket) objects to SocksSocket (or SocksDatagramSocket) objects. Through Firewall
by HTTP Proxy with Tunneling Support
Besides
the operators of GET, HEADER and POST, HTTP/1.1
has expanded HTTP/1.0to
include five new methods of OPTIONS, PUT, DELETE, TRACE and CONNECT.
Although all about CONNECT method in RFC2616 is only a summary statement,
"This specification reserves the method name CONNECT for use with a
proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling
[44]).", the HTTP/1.1 compatible web proxy servers do support Tunneling
TCP based protocols. HttpSocket and HttpSocketImplFactory has encapsulated
the HTTP Tunneling support by utilizing CONNECT operator. You can skip
directly to Part IV: Full-duplex Firewall Tunneling with Low Overhead
since the detailed usage of HttpSocket class is very similar to that
of SocksSocket. Socket socket = new Socket(host, port);With Socket socket = new zyh.net.HttpSocket(host, port);If you wish to invoke the HTTP tunneling support, you need to create a HttpSocketImplFactory factory once for a Java runtime. zyh.net.HttpSocketImplFactory factory = new zyh.net.HttpSocketImplFactory( httpProxyHost, httpProxyPort);If you wish to set some optional properties for HTTP proxy server, for instance, username and pasword. Just use a piece of code like: //Used to keep some optional properties Full-duplex Firewall
Tunneling with Low Overhead
Socket socket = new Socket(host, port);With Socket socket = new zyh.net.HttpURLSocket(host, port);If you wish to invoke the Full-duplex Firewall Tunneling support, you need to create a HttpURLSocketImplFactory factory once for a Java runtime. //httpURLProxyURL is the url of HttpURLConnection proxy
//Used to keep some optional properties Unifying the Programming
Interface of Three Extended Sockets
//
Create a Properties object to contain
//
Set the proxy type, SuperSocket.HTTP,
/*
//
Create a SuperSocketImpl factory.
//Create
a SuperSocket object
Because
all above extended socket classes in this article are constructed on the
Socket class, and there is not any native code in all extended SocketImpl
classes, Using "Socket.setSocketImplFactory(factory)" for the java.net.Socket
class is not supported. They will work normally in applet program only
when they have been granted the appropriate security right to communicate
directly with proxy server.
Relative References
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
|