IBM Research
 

Firewall Plugin

The FirewallPlugin demonstrates how to change firewall settings on a per transaction basis. By default, this plugin is set up to pass requests for documents external to IBM through a specific socks server and requests internal to IBM directly. This is example code that will probably not to work in your environment without modification.

Try It Out

  1. Set up the Plugin
    • Start WBI. Set up your web browser to use WBI as a proxy.
    • Register the Firewall plugin. At the WBI console, type (on one line)
         register
            com/ibm/wbi/projects/firewall/firewall.reg
      Alternatively you can register it using the Graphical User Interface.
    • Check to see whether the new plugin is registered and enabled and that the old one is disabled. Go to the WBI Setup page. The Firewall plugin should be listed in the table with a checkmark next to its name. If the plugin is not listed, try registering it again. If the checkmark is not there, click on the box to the left of the plugin name.
    • Open another browser window. Use that window to try out the plugin, and use this window to display the documentation. (To open another window using Microsoft Internet Explorer, go to File -> New -> Window. To open a window using Netscape Navigator, go to File -> New -> Navigator Window.)

  2. Having Trouble?


What It Does

The Firewall Plugin demonstrates how to use the setFirewallInfo method on RequestInfo or the FirewallRequestEditor bean to select what firewall settings a given transaction uses. Normally, WBI uses a single proxy or socks settings, as specified in the http://_wbi/setup or the "etc\config\wbi\TCPIP.prop" file. Using the setFirewallInfo method or the FirewallRequestEditor bean, however, the firewall settings can be on a per request basis.

This plugin provides a sample RequestEditor for an intranet application that routes requests through a socks firewall when they are destined for hosts outside the local intranet. Requests for pages inside the firewall are unaffected.

This plugin also provides an sample generator that allows a user to request individual URLs using specific firewall settings.


How It Works

There are two examples here. The first uses the FirewallRequestEditor bean to route requests through a specific socks or proxy machine depending on whether a request is for a local page (within the firewall) or a distant page (outside the firewall). Note that the example is hardcoded to use settings for IBM's intranet. To make it work in your enviornment, you must modify the code.

The first example uses a RequestEditor to determine whether the request is being made of a host inside o outside the local firewall. If the request is being made of a host inside the firewall, the the request editor simply rejects the request, effectively passing it along without touching it. If the request is for a document on a host outside the firewall, the request editor forwards the request to a FirewallRequestEditor that has the appropriate socks server set.

The second example shows how to use the RequestInfo.setFirewallInfo() method to modify the proxy or socks settings for a particular transaction. In this case, the FirewallGenerator provides a way fetch individual URLs through a specific firewall. That is, a client can request "http://_wbiFetch/get?url=http://www.ibm.com/&socks=socks.almaden.ibm.com" and WBI will fetch" http://www.ibm.com/" through the socks server "socks.lmaden.ibm.com" and return the result to the client.


Known Problems

  1. Be sure that the firewall settings you specify are correct. Note that the FirewallRequestEditorDispatcher example is hardcoded to use settings for IBM's intranet. To make it work in your environment, you must change the code to use your own proxy or socks settings , and your own test to determine whether an address is inside or outside your firewall. This is example code rather than a working example that you can simply run without modification.


Some key WBI classes that were used:

Package com.ibm.wbi.protocol.http.beans
FirewallRequestEditor Can change the firewall settings for a request using this bean.
Package com.ibm.wbi.protocol.http.sublayer
FirewallInfo Object that can be used to changed the firewall setting on a per transaction basis.


The Source

FirewallPlugin.java
Contains the entire plugin source.
firewall.reg
Contains the necessary code to register the plugin with WBI. Registration is done through WBI during runtime.