JFileUpload with FTP - Firewall settings

Upload core product.
Post Reply
User avatar
support
Posts: 1503
Joined: Sun Jan 27, 2008 6:19 pm

JFileUpload with FTP - Firewall settings

Post by support »

You may experiment connection and/or transfer issues when using FTP. Most problems come from Firewall (or prevention intrusion/Antivirus tool) settings. To understand (and troubleshoot), you have to know some basics about FTP protocol itself.

1 - FTP (File Transfer Protocol) relies on two communication channels: Command channel and Data channel. Command channel is to connect and send FTP commands, and Data channel is to transfer content (list files, upload/download). Command channel is usually communicating through TCP port 21.

2 - Two modes are available to transfer data: Active mode and Passive mode. With active mode, the server will initiate connection to client for transfer. With passive mode, client continues to initiate connection and server returns dynamic TCP port (for each transfer) to connect to.

There are 2 features that are not firewall friendly: "Incoming connection" and "dynamic TCP ports". Main (security) issue is incoming connection, that's why JFileUpload does not use Active mode by default. If you want to use Active mode then you will have to allow incoming connection on TCP port 20 (and setup "pasv"="false" extra parameter). So, JFileUpload default configuration is Passive mode. It's not firewall friendly again because to support dynamic TCP ports, you would need to disable firewall (damned!). Fortunately, most FTP servers provide TCP range selection for passive mode. Once enabled (i.e. ports 50000-51000), you just need to open such outgoing TCP range on firewall.

Note: You can notice such problem with any regular FTP client (such as FileZilla). The main difference with an applet is that a regular FTP could setup some firewall exception on installation step. Applet cannot as it relies on JRE (Java Run Time). It means that some firewall exception should be added manually for JRE process.

Finally and specifically if you're using JRE 1.7 + Windows + IPv6, then you have one more problem with passive mode due to a bug with IPv6. You can get "recv failed" socket error.
See: http://bugs.sun.com/bugdatabase/view_bu ... id=7077696 (this bug is still open). Workaround are provided but requires action on client-side (add -Djava.net.preferIPv4Stack=true in Java control panel) which may not be possible for a large deployment.

So, it sounds FTP is becoming a pain for large deployment as security restrictions increase?
Answer: Yes.

What are the alternatives to FTP?

1 - Use SFTP add-on. It's SFTP over SSH, only outgoing TCP port 22 is required (but you need a FTP server that supports SSH)
2 - Use HTTP/S instead of FTP. Only outgoing TCP port 80 (or 443) is required.
JFileUpload supports FTP, FTP/S, SFTP/SSH, SCP/SSH, HTTP and HTTP/S.

User avatar
support
Posts: 1503
Joined: Sun Jan 27, 2008 6:19 pm

Re: JFileUpload with FTP - Firewall settings

Post by support »

For http://bugs.sun.com/bugdatabase/view_bu ... id=7077696, it seems that adding the following parameter in Applet parameter works since JRE 1.7_06:
<param name="java_arguments" value="-Djava.net.preferIPv4Stack=true">

Post Reply