JDK-8023862 : deprecate HTTP proxying from RMI
  • Type: Enhancement
  • Component: core-libs
  • Sub-Component: java.rmi
  • Affected Version: 8
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-08-27
  • Updated: 2017-05-17
  • Resolved: 2013-10-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8 b115Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Description
Deprecate the HTTP proxying feature from RMI/JRMP, and disable HTTP proxying by default.

There are two phases of HTTP proxying in RMI/JRMP, each with a client side and a server side component.

1) RMI/JRMP first attempts a direct socket connection. If the direct socket connection fails in certain specific ways,
and if the http proxying properties are set, an attempt is made to make an HTTP connection using the proxy specified
by the httpProxy properties. If connection is successful, the RMI request is then tunneled through the HTTP connection.

2) If the proxied HTTP connection fails, an HTTP connection is attempted using a URL of the form:

    http://hostname/cgi-bin/java-rmi.cgi

and if this connection is successful, the RMI request is then tunneled through that connection.

Both of these phases of HTTP proxying of RMI/JRMP are to be deprecated, including both
client side and server side implementations.

Along with deprecation of this mechanism, they are to be disabled by default.
A system property java.rmi.server.disableHttp exists, whose default value is false. The default
value will be set to true, disabling the HTTP proxying.

This does not deprecate any actual classes or APIs. It will affect a number of documents, including a few places in the specification:

java.rmi.server package doc
java.rmi.server.RMISocketFactory
java.rmi properties (the disableHttp property)
sun.rmi properties (sun.rmi.transport.proxy.* properties)
RMI Specification, section 3.5 (primary), 10.2 and 10.4 (secondary)
RMI FAQ questions C.9 - C.13

Comments
Text for release notes: The default RMI socket factory will initially attempt a direct socket connection from the client to the server. If this attempt fails, under certain circumstances, the socket factory will attempt to tunnel the RMI request through an HTTP connection, and if that fails, the socket factory will then attempt to tunnel the request through by connecting to an HTTP/CGI URL. The latter two tunneling mechanisms are deprecated and may be removed in a future release. In addition, the tunneling is controlled by a system property java.rmi.server.disableHttp. Its default value is now true, meaning that HTTP tunneling is disabled by default. To re-enable HTTP tunneling, this property must be set to false.
08-10-2013