I'm gonna go out on a limb and say that the way you're implimenting it now
is more secure. I think so because you have no connection to the
application server from the outside, right now, as far as I know. Once the
jrun server is on the app server, your going to have to allow direct
connections to the app server or stand a proxy in the way. If there's a
proxy in the way then screw it, 'cuz you're going to have to do fancy stuff
to make it work, anyway, so leave it alone. If there's no proxy, then
connections are coming though your firewall from the outside. You can, of
course, deny everything except port 80 but, then your firewall rules change
and, that involves more work. I say to leave it alone.
Of course, I could be wrong.
-----Original Message-----
From: A mailing list for discussion about Sun Microsystem's Java Servlet
API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeffrey D. Curry
Sent: Wednesday, March 24, 1999 10:15 PM
To: [EMAIL PROTECTED]
Subject: *Architecture/security question using RMI and Servlets*
Currently, I have JRun running with NES 3.6 on the web server. Some of the
servlets act as RMI Clients and access an RMI Server on the application
server through a firewall. This works fine.
Although, someone is trying to point out that doing it the following way
would be a lot easier and just as secure. (I.E. Re-do my architecture)
I'm tring to poke holes in this and I'm HOPING someone else can support me:
Instead of having JRun run with NES on the web server, they want to have
JRun run, in standalone mode, on the application server. The Servlets, on
the app server, would then make calls directly to the database. The web
pages, on the web server, would point to the JRun instance + servlet name
on
the app server (versus to a servlet on the web server). There's still a
firewall between the web & application servers.
1.) Is this second way secure? If so, or if not, please let me know which
one is more secure and for what reasons.
2.) Is this way beneficial AT ALL over the first method?
3.) Is this way documented or is anyone using this method?
If you could PLEASE get back to me ASAP (like by 3/25) I'd appreciate it
GREATLY!
Thank you
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
