[omniORB] IIOP communication via Firewall

Duncan Grisby dgrisby@uk.research.att.com
Mon, 22 Oct 2001 15:48:18 +0100


On Monday 22 October, Clement VISSEAUX wrote:

> Is it possible to access  CORBA application, distributed over internet,
> without modifying client firewall policy ?

It depends how restrictive the firewall is.

> ie : dynamic allocation of socket port via corba is in contradiction
> with security firewall policy ?
> in some cases, It is not possible to deploy Corba through client
> firewalls, so that proxies have to convert CORBA objects into
> XML-RPCcalls or SOAP calls through HTTP

If the firewall just blocks everything except port 80, it's trivial to
force your CORBA servers to listen on port 80, even though they aren't
talking HTTP. If the firewall checks that the traffic really is HTTP,
that won't work. Any firewall that strict is probably going to start
filtering out XML-RPC and SOAP calls soon, too, since they're just as
dangerous as calls to any other port.

If the issue is that the firewall blocks incoming calls to objects
used for callbacks, bi-directional IIOP solves the problem. The client
opens a connection to the server, and the server then contacts
callback objects on the same TCP connection, rather than attempting to
open a new connection. omniORB 4 supports bi-directional IIOP.

Note that the problem solved by bi-directional IIOP is not an issue in
XML-RPC and SOAP since they have no concept of an object reference.
You can't specify callbacks at all, so there can be no problem with
contacting them!

What exactly do you need to do?

Cheers,

Duncan.

-- 
 -- Duncan Grisby  \  Research Engineer  --
  -- AT&T Laboratories Cambridge          --
   -- http://www.uk.research.att.com/~dpg1 --