Enterprise Java expert DennisSosnoski from Java Server technologies for Linux to start explains his point of view, and then gives Linux securely set TomcatJavaservlet suggestion engine.
Linux platform and Java platform has a distant but have often experienced ups and downs. Build high-performance virtual machines at the same time to keep up with the growing core JavaAPI collection, doing the complexity to a great extent on the development of the Java platform's open source program code 「introduction CleanRoom 」 implementation difficulties of early action. Java technology licensing implementation end can be used for Linux, but the implementation is not an open source programming code. Thus, most Linux distributions do not include the implementations. Despite these difficulties, the Java platform or provides many benefits, resulting in Linux increasingly use the licensing implementation, especially for a server application. In this article, I reviewed the Java platform for server applications, and then studied in Linux-simple and secure deployment of Java service issues involved. As a practical example, I will discuss a set of widely-used ApacheSoftwareFoundation TomcatJavaservlet engine details for independent operation. Why use Java platform? there are many reasons can explain why Java platform becomes a server-based business applications accepted choice. I will mainly discuss I think the environment is essential for three reasons: cross-platform compatibility, managed execution environments, and ease of development. Java applications across multiple operating systems and hardware platforms for binary compatibility. For non-GUI server application especially so, in this category for the application, usually in the actual target system requires very little testing. Staff can be in any of their favorite platform for coding and debugging, and still you can deploy the application to them may not be able to directly control the environment. Java virtual machine (JavaVirtualMachine, JVM) environment of execution properties to several ways to enhance security. The most striking aspect is the strict type checking, array bounds checking and automatic garbage collection mix thoroughly to prevent the most destructive form of server code attack: buffer overflow, repeating the errors and free release. Java language early for applet, through continuous development, the language has a perfect system for those who have made sure that there are security risks in facilities for subtle access control. These methods can be used for standalone applications choose to use, but they have been established in many Java Service's schema. These enforcement program security features also provides a Java language development of convenience. To the issue of the convenience of this category any precise measurements are difficult, but most have such as C and c++ class language background and turn Java program staff are recognized in the change after their productivity increase. Partly because when compiled and executed the strict implementation of the type, as well as the simplicity of an automatic memory management. Another factor is the development of standards for the Java platform API extension collection. These APIs for new staff can be a major challenge, but once learned, API will provide for a wide range of enterprise needs excellent cross-platform support. Of course, for some applications, Java platform may be a poor choice. Although the JVM architecture in continuous improvement, but Java applications typically use the same algorithm than C or c++ application execution is a bit slower. In my experience and testing, I estimated the speed difference for Chartered JVM on most server applications is about 20 per cent to the 50% range, but this will depend to a large extent on the quality of your code. Compared with the standalone program, in the JVM on Java applications also suffer a slow start, but this for long time executing server application usually is not a major problem. In most cases, a reduced effectiveness and slow start just to get the Java platform with enhanced security and more rapid development of the small advantages. Open-source alternative in addition to Standard Chartered JVM (free, but limited to source code; can be used for Sun, IBM, BEA and Blackdown organization of Linux), for Linux there are several alternatives. These choices include 「introduction CleanRoom 」 open to source JVM implementation, one of the most widely used may be Kaffe (in many Linux distributions include it). Kaffe is a very interesting project that it has completed a number of surprising work, but it can only provide limited chartered with the current JVM. Therefore, it is usually not used in this article is concerned with enterprise class type of the server application. For the Java program of native code compiler for open to source work there are also several alternative. Here the most important item is the GNU compiler collection (GNUCompilerCollection) of GCJ. use of CGJ of categories such as native code compiler will be platform-independent Java byte code in its implementation before the conversion into a platform-specific code (this is in contrast to perform in the JVM, usually performed in the JVM at execution time is converted to a byte code is platform-specific code). Native code compilation shows it is most likely to become an avoid JVM in a Java application to start a slow method. However, using this method of compiler usually cannot be used with the stability of the current licence JVM State effectiveness. If Java applications using dynamic properties of the Java platform(Such as using reflection to access fields or add-in is performed selected categories), this situation is particularly acute. Depending on the implementation and compilation options, native code compilation might also weaken the Java platform's many enforcement security characteristics. Finally, because of licensing issues, many JavaAPI cannot be compiled to native code. Because of these limitations, the native code compilation is not a Java platform server applications, a good choice. C #? Java execution environment have much in common with a alternative is Microsoft's C # language and related public language implementation (CommonLanguageRuntime, the CLR). C # is a Java language closely derivatives, might allow CLR C # on many platforms. The CLR also provides many of the JVM executing security features (although there are severely weakened security assurances from exports). Microsoft.net implementation also supports precompilation cost machine code for the option for a quick start, and GCJ Java bytecode has done the same. Of course, Linux users are not able to directly use this feature, because .Net only applies to Windows System. MonoProject is committed to providing a variety of Linux products build 「introduction CLeanRoom 」 open to source code, C # and is equivalent to the CLR's products. Now, the project of the c # compiler has developed, and also completed most of the CLR, Microsoft published for standardization. However, in terms of performance or functional perspective it become a reasonable alternative to the Java platform and before much remains to be done. CLR only includes the Java core classes library equivalent basic content. Before you can think of it as an enterprise software development before the reasonable options, you also need to use many additional APIs to complement it. MonoProject is committed to developing CLR .Net than other parts of the transplantations, if these transplant success-and if Microsoft does not impose these portions of the .Net it's franchise-then they will help to meet the C # into a Linux server software development of reliable platform needs. But to make those assumptions become reality, but also a lot of work, at the same time, the Java program of native code compiler, and open to source JVM to those who really want to avoid concession JVM and can put up with limited functionality for users with a more stable alternative. The most widespread ApacheTomcat Java platform is one of the server application is based on original by ApacheTomcat.Tomcat Sun donated to the source code of open source projects to come. It is a HTTP server is Sun's development through JavaCommunityProcess, extensive use of servlet and JavaServerPage (JSP) technology of official reference implementation. I will in this article use Tomcat as a sample Java application and deploy it as a service on Linux. If you want to try your own implementation of Tomcat, you will need to install Java on your system to develop kits (JavaDevelopmentKit, JDK), instead of installing a smaller Java execution environment (JavaRuntimeEnvironment, JRE). Servlet and JSP technology used to build HTTP server applications. Although servlet technology in many characteristics (including access and security, Session management and execution threads control), but it is roughly equivalent to a fast direct Java language calling and custom CGI interface. JSP technology provides a way to handle dynamically generated HTML page of the simple method, these HTML pages are directly compiled into a servlet for fast execution of the job. In addition to these two technologies, Tomcat also provides many other features. By virtue of its own effectiveness, it actually is a full-featured Web server, but it is usually on a Linux system and Server front-end common use ApacheWeb. Apache to Tomcat provides many advanced efficiency to fit the static content. For static content comparison high proportion and usage is high in Web applications, Apache front-end is useful. But for many simple Web applications, there is no need to use it, when easier configuration and management, the Tomcat can be separately provided enough efficiency (at least for previously not used Apache's staff). Port problem separately Tomcat's a big problem is that it cannot access the standard HTTP port 80, unless it is performed as root user. As the root user to perform server application ideas are usually not on streaming company under discussion, so I will completely abandons the idea! use ports other than 80 is a better choice (for example, Tomcat default port 8080). This usually applies to test, but when users are accessing the service, it will result in messy URL, as required in the request clear port number. Using non-standard ports also means that if the need for external access, you need to configure all of the firewall. Fortunately, Linux xinetd solutions support some use Tomcat (or any other user mode application) processing connection requests on port 80 of the easy way. A common way is through extensive xinetd.xinetd is with access control and logging support for Internet services daemon, it also has the convenience of the orientation property. Redirects let you set the system configuration to accept a connection on port, and then enter requests will pass the request on to another port or even a different IP address for processing. If you want to set the system to handle TomcatPort 80 requests, you need to join the xinetd configuration file to implement this objective. Assume that as a General in the normal path installed xinetd, then you can join through/etc/xinetd.d directory a file (to root user identity) to perform this job. Listing 1 shows a sample of the Tomcat configuration file. Manifest 1.xinetd redirects configuration # Redirectsanyrequestsonport80 # toport8080 (whereTomcatislistening) servicetomcat {socket_type = streamprotocol = tcpuser = rootwait = noport = 80redirect = localhost8080disable = no} in the configuration file after you have joined, you will need to restart xinetd to genuine activation redirects. In most Linux installation, through to root user identity to perform the following command to restart xinetd:/sbin/servicexinetdrestart only to configuration files in/etc/xinetd.d directory, when you restart the system, the redirects will start automatically. If you do not have to be set to automatically start the Tomcat, then start Tomcat will be denied access until you request. Iptables solution xinetd is processing the request redirected a good way, but it performs a processing order for the actual connection between ports, the relay data does add some overhead. The latest Linux kernel versions by using iptables to support a better setting redirects. Iptables and xinetd difference that it is a real kernel component. Therefore, it can avoid the overhead of increased xinetd method. The only downside to using iptables is that it may be more difficult than the xinetd configuration, but it is only available for a fairly new kernel version. You need to do the support iptables in the kernel 2.4.x or later in order to use my technical description here. Configuration and Setup iptables is a convinced by a few articles to a separate description of the topic, so I do not intend to attempt to discuss the topic. If you need help getting started with iptables, read the manual for the Linux distribution. To quickly check iptables is executed on your system, try to execute as root user:/sbin/serviceiptablesstatus if it is performing, you will see on the console table and a list of the chain. Iptables using several different tables and packets chain to processing rules. In order to access the HTTP request from the connection port 80 redirects to the system of another port, you will use the nat table (for network address translation, NetworkAddressTranslation) and the PREROUTING chain. Listing 2 provides practical instruction to execute (as root user identity) in order to add a processing this request. This rule is to enter the package destination connection port 80 to modify a target connection port 8080, therefore only when you are not blocked from external use port 8080, this rule does not work correctly. Once you have implemented the directive, you should be able to immediately access requests. Listing rules/sbin/iptables-tnat\-APREROUTING-jREDIRECT-ptcp\ 2.iptables redirects — destination-port80: 80 – to-ports8080/sbin/serviceiptablessave to store the current configuration iptables.
No comments:
Post a Comment