Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (577)
games submitted by our members
Games in WIP (498)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Unsigned applet and TCP 'host' connexion restriction  (Read 3082 times)
0 Members and 1 Guest are viewing this topic.
Offline nouknouk

Junior Newbie





« Posted 2010-02-18 19:35:12 »

Hi,

I'm working on a online gaming website based on the (excellent) pulpcore framework and so, unsigned applet.
The game itself uses a TCP connexion to my dedicated server. For the moment, both web server (from where applet is downloaded) and 'TCP game server' are hosted on the same machine. So I don't face any SecurityException.

But I'll need soon to separate the web server from the game server.
Thus, I would like to understand how Java restricts TCP connexion from untrusted applets: are restrictions based on the DNS hostname or the IP ?

For example, say I have:
- one web server  (www.mysite.com) where the applet is downloaded. It has IP 80.169.0.1
- another server with a different IP (80.169.0.2) and another domain name, but with the same 'second level domain' name (mysite.com), say 'tcpserver.mysite.com'

=> will a TCP connexion in my applet be able to connect to 'tcpserver.mysite.com' even if the applet itself has been downloaded from 'www.mysite.com' ?

=> If not, is there any way to make a unsigned applet connect to a server with a different IP, but on the same domain ?


Many thanks in advance.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #1 - Posted 2010-02-18 20:17:17 »

Easiest solution: write a tiny application that listens on port N, and sends everything it receives to 'host 2'. Everything it receives from 'host 2' will be sent to the applet again, over the same TCP connection. The only downside is that you have twice the traffic, but usually that's not your bottleneck.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #2 - Posted 2010-02-18 20:22:35 »

I believe the restriction is by IP address.  If you provide a host name, java does a DNS lookup.

There is some new cross-site functionality in Java 6.  Might work, although I saw some posts in sun forums, which suggested that it worked with URL Connections but not raw sockets.  If this is true, it might not help you

<url>https://jdk6.dev.java.net/plugin2/#CROSSDOMAINXML</url>

I was interested myself, and found a demo here
<url>http://weblogs.java.net/blog/joshy/archive/2008/05/java_doodle_cro.html</url>

There's some source code in a .zip further down the page.  It appears to do an imageio.read(URL)

The crossdomain support appears to be in CheckConnect

It seems to be regularly fixed and broken in each release so probably not ready for production use yet.

<url>http://forums.java.net/jive/thread.jspa?messageID=331872</url>

Time flies like a bird. Fruit flies like a banana.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline SimonH
« Reply #3 - Posted 2010-02-18 22:47:52 »

=> If not, is there any way to make a unsigned applet connect to a server with a different IP, but on the same domain ?
A workaround would be to have two applets on the page; the game applet <codebase=www.mysite.com> and a 1x1 pixel comms applet <codebase=tcpserver.mysite.com>.
Because applets can talk to eachother, the comms applet can act as a bridge between the game and the server. Might be a bit slow...

People make games and games make people
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #4 - Posted 2010-02-18 22:51:39 »

A workaround would be to have two applets on the page; the game applet <codebase=www.mysite.com> and a 1x1 pixel comms applet <codebase=tcpserver.mysite.com>.
Because applets can talk to eachother, the comms applet can act as a bridge between the game and the server. Might be a bit slow...

Have you tried this?? AFAIK the security manager checks the host of the webpage, not the codebase of the applet.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline SimonH
« Reply #5 - Posted 2010-02-19 02:04:09 »

Have you tried this?? AFAIK the security manager checks the host of the webpage, not the codebase of the applet.
Er, no. Not as such - I have run 2 applets from totally different codebases on the same page, but I haven't tried server comms with them. I assumed that if you can run an applet from a codebase then that applet can talk to that codebase? You think maybe not...?

Edit: just did a quick test and it does seem to work - maybe not all security managers are the same? Undecided

People make games and games make people
Offline nouknouk

Junior Newbie





« Reply #6 - Posted 2010-02-19 13:25:41 »

Hi,

first thanks for your replies.

I finally bought a domain to perform some tests.
Here is my precise testing configuration:

- one physical server with one (public) IP: IP1
- antoher physical server with two network cards and two (public) IPs: IP2 and IP3

- one domain name (mydomain.com), with:
 * mydomain.com => DNS A entry => IP1
 * subdomain.mydomain.com => DNS A entry => IP1
 * otherserver1.mydomain.com => DNS A entry => IP2
 * otherserver2.mydomain.com => DNS A entry => IP3

- a free (sub) domain from the 'no-ip.com' service (it's like dyndns) : 'mytestdomain.no-ip.org' => IP1

- plus another (default) DNS entry provided by my server provider: serverid.myprovider.com => IP2


Here are the first results:

-> with no security restriction (applet ran locally), any host:port connexion succeeded.

-> with unsigned applet embedded (ie. sandbox active) in a web page of subdomain.mydomain.com, i get:

* 'mydomain.com:80 : connexion SUCCEEDED.
* 'subdomain.mydomain.com:80 : connexion SUCCEEDED.
* 'otherserver1.mydomain.com:80 : connexion FAILED
* 'otherserver2.mydomain.com:80 : connexion FAILED
* 'serverid.myprovider.com:80 : connexion FAILED
* 'mytestdomain.no-ip.org:80 : connexion SUCCEEDED.

So it seems the security check is well based on the IP resolved by the DNS request, which is a problem for me.

I think I'll try some tests with one applet and a different CODEBASE parameter, as proposed by SimonH. But my problem is that I use the 'archive' tag to define the applet's JAR location ; I suppose both won't be allowed, and (maybe) if I define a codebase with a different URL than the one where the JAR is located, the applet will throw a NoClassDefFound error because it won't find the applet's jar. don't you think ?

About having two applets in the same webpage: it's not really a solution for me, as:

- I did some tests a long time ago, and as far as I remember, compability with all browsers + all JRE (1.4+) was not guaranteed.

- I have constraints regarding network latency (think 'action game network requirements'). And I suppose that inter-applet communication will likely be a problem for that.

About cross-site functionality, it's not a solution for me too, as my applets must be compatible with any JRE 1.4+

Note1: when connexion failed, the exception looks like "(java.security.AccessControlException: access denied (java.net.SocketPermission otherserver1.mydomain.com resolve))"

Note2: the code of the applet itself looks like:
1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
public class TestAppletSecurity extends Applet {
    @Override
    public void init() {
        System.out.println("TestAppletSecurity initialization.");
        testTcpConnexion("mydomain.com", 80);
        testTcpConnexion("subdomain.mydomain.com", 80);
        testTcpConnexion("otherserver1.mydomain.com", 80);
        testTcpConnexion("otherserver2.mydomain.com", 80);
        testTcpConnexion("serverid.myprovider.com", 80);
    }
    public void testTcpConnexion(String host, int port) {
        try {
            Socket s = new Socket(host, port);
            s.close();
            System.out.println(" -> '"+host+":"+port+" : connexion SUCCEEDED.");
        } catch (Exception e) {
            System.out.println(" -> '"+host+":"+port+" : connexion FAILED ("+e+")");
        }
    }
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #7 - Posted 2010-02-19 14:10:26 »

Seriously, do this:
Easiest solution: write a tiny application that listens on port N, and sends everything it receives to 'host 2'. Everything it receives from 'host 2' will be sent to the applet again, over the same TCP connection. The only downside is that you have twice the traffic, but usually that's not your bottleneck.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline nouknouk

Junior Newbie





« Reply #8 - Posted 2010-02-19 15:06:51 »

Hi,

I already thought about such solution, but it leads to four issues:

1- as you said, the use of the bandwidth is not efficient at all. And it will quickly become a problem as my bandwidth is not unlimited.

2- it will raise latency, and this won't be a good thing for my 'real time' requirements.

3- it will have an impact of the server1's load (the one which runs the 'proxy' daemon), which is the thing I want to avoid (separation of web server and 'game server' is mostly intended to support load).

4- one option I was planning was to rent one dedicated server (for 'game server') and only one 'web hosting'  place (usually cheaper). But if I need a proxy software on the same IP than the web server, this no more an option.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #9 - Posted 2010-02-19 16:10:43 »

Hi,

I already thought about such solution, but it leads to four issues:

1- as you said, the use of the bandwidth is not efficient at all. And it will quickly become a problem as my bandwidth is not unlimited.

2- it will raise latency, and this won't be a good thing for my 'real time' requirements.

3- it will have an impact of the server1's load (the one which runs the 'proxy' daemon), which is the thing I want to avoid (separation of web server and 'game server' is mostly intended to support load).

4- one option I was planning was to rent one dedicated server (for 'game server') and only one 'web hosting'  place (usually cheaper). But if I need a proxy software on the same IP than the web server, this no more an option.


1. factor 2 isn't that bad. you can reduce traffic much more by having efficient networkcode
2. an additional latency of under 1-2ms, which is negligable, as the location of the user can cause latencies of hundreds of millis.
3. you can handle hundreds of connections, with a linux-load near 0.01, when using NIO, if all the application does is redirecting traffic
4. Why? The proxy would run on the same IP, but a different port (not 80). A cheap VPS is all you need.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline nouknouk

Junior Newbie





« Reply #10 - Posted 2010-02-22 13:56:37 »

riven, the topic is not about finding a workaround (which will in any case restict my possibilities), but more having a precise and complete overview about what can be done (or not) with unsigned applets. Having the information is the first step. Given it, I'll decide on my own what is the best solution for my specific case.

So it's off topic, but just for information:
1. factor 2 isn't that bad. you can reduce traffic much more by having efficient networkcode
2. an additional latency of under 1-2ms, which is negligable, as the location of the user can cause latencies of hundreds of millis.
3. you can handle hundreds of connections, with a linux-load near 0.01, when using NIO, if all the application does is redirecting traffic
4. Why? The proxy would run on the same IP, but a different port (not 80). A cheap VPS is all you need.
1. factor 2 is simply huge and my network protocol is already efficient.
2. additional latency of 1-2ms is only if the two servers are hosted in the same place. Such case forbids me to rent two separate servers in two different companies.
3. good to know.
4. the solution was about renting only two servers: one for hosting only (so no 'root' access and no way to execute the proxy) and another one for 'game server' only (dedicated server).
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #11 - Posted 2010-02-22 17:31:50 »

At the risk of completely annoying you, let me add that you can solve #4 by putting the proxy on your dedicated server and actually tunnel traffic to your *website*.

Feel free to ignore Smiley

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline DzzD
« Reply #12 - Posted 2010-02-22 19:09:44 »


4. the solution was about renting only two servers: one for hosting only (so no 'root' access and no way to execute the proxy) and another one for 'game server' only (dedicated server).

so where is the problem ? just serve the applet (maybe in an IFrame if you want it merged with some of your website page) from the game server and not from the "hosting" one ?
1  
2  
3  
4  
5  
6  
7  
8  
<HTML>
<HEAD>
<TITLE> page served by http://website.com/</TITLE>
</HEAD>
<BODY>
<IFRAME src="http://game.website.com/applet.html?+someParametersFromWebSite"></IFRAME>
</BODY>
</HTML>


EDIT: also not sure that you can connect to other port then the one that serve the applet with all JRE

Offline nouknouk

Junior Newbie





« Reply #13 - Posted 2010-02-22 19:54:34 »

AGAIN, the subject of the topic is to understand to what an unsigned applet can connect (or not), not finding a workaround.

And about your off-topic: let's try to make two applet communicate to each other in two different IFrames. Same question about liveConnect feature (ie. Javascript <=> java calls). There are even other issues with use of IFrames.



Offline DzzD
« Reply #14 - Posted 2010-02-22 22:05:19 »

AGAIN, the subject of the topic is to understand to what an unsigned applet can connect (or not), not finding a workaround.
so the answer is no no no... Unsigned Applet does not allow to connect to another server without a workaround (proxy) than the one that the applet come from... end of the debate

Quote
=> If not, is there any way to make a unsigned applet connect to a server with a different IP, but on the same domain ?
hey man ! you ask for a workaround, you are offtopic !

And about your off-topic: let's try to make two applet communicate to each other in two different IFrames. Same question about liveConnect feature (ie. Javascript <=> java calls). There are even other issues with use of IFrames.
heu why would you like to comunicate client side between two applet comming frm a different server ?

Offline nouknouk

Junior Newbie





« Reply #15 - Posted 2010-02-22 22:28:27 »

That's it:
end of the debate

It was a pleasure, gentlemens.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 605
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #16 - Posted 2010-02-22 22:29:24 »

Please keep in mind we are trying to help you.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (19 views)
2014-04-15 18:08:23

BurntPizza (15 views)
2014-04-15 03:46:01

UprightPath (28 views)
2014-04-14 17:39:50

UprightPath (13 views)
2014-04-14 17:35:47

Porlus (29 views)
2014-04-14 15:48:38

tom_mai78101 (54 views)
2014-04-10 04:04:31

BurntPizza (111 views)
2014-04-08 23:06:04

tom_mai78101 (212 views)
2014-04-05 13:34:39

trollwarrior1 (181 views)
2014-04-04 12:06:45

CJLetsGame (187 views)
2014-04-01 02:16:10
List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:05:20
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!