On its own, Java is a clean, easy-to-use language capable of enriching Web page content through applets and providing a level of interactivity far more flexible and sophisticated than the traditional HTML and CGI interfaces of pages and forms. However, the real potential of Java is realized when it "reaches out" from the Web to other applications and components. The emergence of a solid, widely-supported industry standard in CORBA allows for integration between Java and existing applications on a variety of platforms. A simple, configurable Java interface can provide a familiar, easy-to-use look and feel to existing mainframe, Windows or UNIX applications and databases. There are now several interoperable CORBA implementations for Java and a multitude of CORBA-based products that facilitate database access, legacy code integration and other aspects of Java/CORBA development. Developing Java applets as part of a rich, functional multi-tiered architecture is now straightforward and well-supported.
While distributed applications involving Java components are now popular on corporate Intranets, many organizations are still reticent about migrating their existing applications to the Internet. The fear is that the Internet is a large, public network and some of its users will inevitably be hostile or mischievous. Although the Java language itself contains safeguards against hostile use, Internet users could conceivably send forged IIOP communication and perform unauthorized tasks - like the reading of private information, the manipulating or even deletion of data - from machines on the server. As the code and data involved in large-scale, legacy applications is often highly sensitive and hard to replace, this is understandable.
The challenge for CORBA is to provide a means by which all the functionality of Web-based, distributed applications is available to enterprise-scale users, without the potential for damage to data or violation of privacy. In addition, for a Java applet to connect to a fully-fledged, server-side distributed application, ways of navigating Java's security features must be found without compromising the protection that these features offer.
IONA's Orbix Wonderwall was developed with a view to addressing these issues. The Wonderwall is based on the traditional firewall model, and particularly the principle that "everything not specifically allowed must be denied." In terms of IIOP communication, this means that the developer chooses which operations are exposed to the Internet user. So, while a database engineer within the organization will be allowed to modify and maintain the entire system, a prospective Internet shopper will be limited to viewing certain areas of inventory and availability. As every communication must go through the Wonderwall, nothing illicit or dangerous can be sent. This model for security is intended for use with pure IIOP communication, but provides a means for "tunneling" or embedding IIOP requests and responses through the universal HTTP. So, while ideally pure, on-the-wire IIOP communication would be established on a standardised IIOP port, allowances are made for those accessing from a site where this port is disabled.
The use of one machine as a "bastion host", as in the traditional firewall model, not only enhances the security of a Java/CORBA application but also allows for negotiation of Java's built-in "sandboxing". By filtering and forwarding requests and responses through the bastion host, the basic one-to-one connection mandated by Java "sandboxing" is maintained, but access to a variety of different machines and components on the server side is permitted.
With these developments in assuring secure IIOP communication across the Internet and safeguarding the integrity of advanced server-side applications accessed through Java interfaces, the possibilities for developing and integrating powerful, globally distributed applications are limitless.
About the Author
Ben Walsh is Technical Marketing Executive at IONA Technologies plc, specializing in the Internet and related technologies and can be contacted on [email protected]