Menu
▾
▴
Tree [r429] / branches / Release-3-0-8 / php-java-bridge / History
Read Me
What is the PHP/Java Bridge?
----------------------------
The PHP/Java Bridge is a network protocol which can be used to
connect PHP with a java or ECMA 335 VM.
Please read the ABOUT.HTM contained in the download archive or
http://php-java-bridge.sf.net for more information.
Build and execution instructions:
---------------------------------
NOTE: If you run Security Enhanced Linux, you must update the policy
and tag the files with the correct SEL contexts, please see below, or
please install the binary RPM instead.
In the directory php-java-bridge-p.x.y type:
java -version # 1.4.2 or above (JRE >= 1.6 recommended)
gcc --version # 3.2.3 or above (4.0.x recommended)
apachectl -version # Apache 1.3 or above (2.x recommended)
php-config --version # PHP 4.3.4 or above (5.x or 6.x recommended)
make null --version # GNU make 3.79 or above
phpize &&
./configure --with-java=/usr/java/default &&
make &&
su -c "sh install.sh"
If your administrator allows you to dynamically load extensions, you
can now test the extension by invoking the test.php with the
command: php ./test.php.
Please see the output of ./configure --help=recursive for further
configure options.
------------------------------------
Permanently activate the module
-------------------------------
The bridge consists of two parts, the "front-end", usually Apache,
PHP and our PHP java extension, and a "back-end". The following
describes how to start the back-end (if necessary) and how to configure
the front-end so that it connects to the back-end.
To permanently activate the extension for all users, please add the
following lines to the php.ini. Or add a file java.ini to the
directory that contains the PHP module descriptions, usually
/etc/php.d/, with the following content:
extension = java.so ;; php_java.dll on windows
To direct the extension to a specific back-end, please add the
following lines to the php.ini. Or add a file java-<backend>.ini,
e.g. "java-tomcat.ini" or "java-standalone.ini" to the directory that
contains the PHP module descriptions, usually /etc/php.d/, with the
following content. Options:
1) java.socketname, java.hosts and java.servlet not set: local
back-end which starts automatically (default). Example #1:
;; empty
Example #2 uses java.java_home, java.java to set the java
executable.
[java]
java.java_home = /opt/jdk1.5
java.java = /opt/jdk1.5/bin/java
java.log_file = /var/log/php-java-bridge.log
java.log_level = 2
2) java.socketname set: local system back-end started by the
system "php-java-bridge" service script. Example:
[java]
java.java_home = /opt/jdk1.5
java.java = /opt/jdk1.5/bin/java
java.log_file = /var/log/php-java-bridge.log
java.log_level = 3
java.socketname = /var/run/.php-java-bridge_socket
3) java.hosts set: external back-end(s) on different server
machines. The back-ends can be started on these servers with e.g.:
java -jar JavaBridge.jar. Example:
[java]
java.hosts = 192.168.5.203:9267 192.168.5.204:9267
java.log_level = 3
4) java.hosts=127.0.0.1:<port> and java.servlet=User: user
back-end(s) deployed into a local j2ee application server with a shared
document root directory (see DocumentRoot setting in the
httpd.conf). Several JavaBridge back-ends, e.g. "MyBridge.war" or
"Bridge31.war", can coexist in the same j2ee server. If the Apache or
IIS server uses the same document root as the j2ee server, the
front-end automatically connects to the associated "MyBridge" or
"Bridge31" back-end. Example:
[java]
java.hosts = 127.0.0.1:8080
java.servlet = User
java.log_level = 3
5) java.hosts set and java.servlet=On: "JavaBridge.war" back-end
deployed into a j2ee application server or servlet engine. Example:
[java]
java.hosts = 127.0.0.1:8080
java.servlet = On
java.log_level = 3
6) Standalone java application (see JSR223) or AS or servlet engine
without Apache or IIS front-end. A PHP server can be started with the
command (e.g.): X_JAVABRIDGE_OVERRIDE_HOSTS="/" PHP_FCGI_CHILDREN="20"
PHP_FCGI_MAX_REQUESTS="500" php-cgi -c java.ini -b 127.0.0.1:9667.
php-cgi starts automatically if no PHP server is listening on port 9667.
[java]
java.log_level = 3
After you have created the correct .ini entries, start the
back-end. Example for option:
#1: Not needed, back-end starts automatically
#2: /usr/sbin/php-java-bridge (see [note: SERVICE] below)
#3: java -jar JavaBridge.jar INET:9267 3 php-java-bridge.log
#4: service tomcat5 restart
#5: service tomcat5 restart
#6: Not needed, back-end is the calling VM
The Linux RPM binaries use the following options:
php-java-bridge*.rpm : Option #1
php-java-bridge-standalone*.rpm : Option #2
php-java-bridge-tomcat*.rpm : Option #5
php-java-bridge-devel*.rpm : Option #6
Check the status:
echo "<?php phpinfo()?>" | php | fgrep "java status"
Other configuration options which should have been set up by the
configure script but which can be changed later are:
java.libpath = <system dependent path to natcJavaBridge.so>
java.classpath = <system dependent path to JavaBridge.jar>
java.java_home = <system dependent path to the java install dir>
java.java = <system dependent path to the java binary>
java.socketname= <local ("unix domain") communication channel>
java.hosts = <add. back-ends e.g.: server1:9267 server2:9268>
java.servlet = <On/Off/User>, see NEWS for version 3.0.2
java.wrapper = Reserved for OS vendor
Please first look at the output of phpinfo() to see the original
values.
---------------------------------------------
Starting the PHP/Java Bridge automatically
------------------------------------------
When the java.socketname and java.hosts options are not set, the web
server will start or re-start the bridge automatically as a sub
component when the HTTP service is started or re-started.
However, when running the bridge in a production environment, it is
recommended to use a J2EE back-end, Tomcat5 for example.
------------------------------------
Sample settings for Apache/Tomcat
---------------------------------
Assuming that tomcat is installed (e.g. in /opt/tomcat5),
MyJavaBridge.war is deployed (e.g. in /opt/tomcat5/webapps), java.so
(or php_java.dll) is installed in the php modules directory (e.g. in
/usr/lib/php/modules/), mod_jk and php5 are installed in the apache modules
directory (e.g. in /usr/lib/httpd/modules/), we recommend following
settings:
The following settings in httpd.conf direct all .jsp requests to the
tomcat servlet engine and all .php requests to the php module:
httpd.conf:
----------
LoadModule php5_module modules/libphp5.so
LoadModule jk_module modules/mod_jk.so
AddType application/x-httpd-php .php
JkAutoAlias /opt/tomcat5/webapps
JkMount /JavaBridge/*.jsp ajp13
JkMount /JavaBridge/ ajp13
The following settings in php.ini direct all php "Java(...)" calls to
the tomcat servlet engine:
php.ini:
--------
extension = java.so
;; on windows: extension = php_java.dll
[java]
java.hosts = "127.0.0.1:8080"
java.servlet = User ;; or: /MyJavaBridge/JavaBridge.php
To check the above settings, please visit http://localhost/MyJavaBridge/
and run the sessionSharing.jsp and sessionSharing.php examples.
Please don't misunderstand the role of the mod_jk adapter.
It is only used to "mount" the tomcat webapps directory into apache and
to forward requests for .jsp files. The mod_jk adapter does this by
"copying" the non jsp files from the tomcat webapps directory into
the apache document root directory at run-time.
A more reasonable approach would be to remove mod_jk and to create a
shared web directory for tomcat and apache. This is the default since
Red Hat Fedora 4.
Most modern frameworks, Java Server Faces for example, require that
you manually forward to the "back-end", anyway. The code would look
like:
<?php
...
function jsfValidateEntry($ctx, $arg, $value) { ...}
// check if we're called from the framework, forward if call failed.
java_context()->call(java_closure()) || header("Location: index.jsf");
?>
So you probably won't miss mod_jk's automatic forward.
------------------------------------
64 Bit issues
-------------
It is possible to compile the bridge into 64 bit code:
phpize && ./configure --with-java=$JAVA_HOME
make CFLAGS="-m64"
The scripts expect that the default JVM found in
$JAVA_HOME/bin/java is a 64 bit VM. Unfortunately this is not true
for the SUN JDK (Linux and Solaris) installation. The SUN JDK
installs the 64 bit VM in some sub-directory of $JAVA_HOME/bin. On
Solaris9 this is $JAVA_HOME/bin/sparcv9. The location on Linux may
depend on the architecture.
Since there is no standard installation directory and we cannot
blindly search all sub-directories, it is your job to direct the
bridge to the 64 bit JVM. The relevant php.ini entry is java.java,
see install instructions above.
---------------------------------------------
AS/Servlet with PHP CGI
-----------------------
Read the following instructions only if you don't want to use
Apache or IIS.
It is possible to run PHP from java. Unlike the JSR223 sample
implementation, which uses the JNI interface to load/call the native
PHP5 shared library, we use the Fast CGI interface to call the PHP
binary and use a local channel to connect the two components. This is
more reliable; in case a PHP instance crashes, it will not take down
the whole servlet engine or application server.
Please follow the AS or Tomcat installation instructions above, then
visit http://localhost:8080/JavaBridge and run the supplied JSP and PHP
examples.
If the parameter name "use_fast_cgi" is set to "Autostart" in the
web.xml and a fcgi server does not listen on port 9667 and a fcgi
binary can be found as either /usr/bin/php-cgi or /usr/bin/php or
c:/php5/php-cgi.exe, then the back-end automatically starts the fast
CGI server on this computer, with the command:
cd $HOME
export X_JAVABRIDGE_OVERRIDE_HOSTS="/"
export PHP_FCGI_CHILDREN="20"
export PHP_FCGI_MAX_REQUESTS="500"
/usr/bin/php-cgi -b 127.0.0.1:9667
It starts when the VM starts and stops when the VM terminates.
If that failed, the bridge searches for a CGI binary called:
php-cgi-<architecture>-<os>.exe or
php-cgi-<architecture>-<os>.sh or
php-cgi-<architecture>-<os>
in the directory WEB-INF/cgi/. On Unix the binary must be executable, it
is therefore recommended to always use a wrapper .sh script, for example:
#!/bin/sh
# This wrapper script reconstructs the executable permissions
# which some zip or .war implementations do not preserve
chmod +x ./php-cgi-i386-linux
exec ./php-cgi-i386-linux
Please see the README located in the directory WEB-INF/cgi/ for
details.
The <architecture> and <os> values are calculated as follows:
System.getProperty("os.arch").toLowerCase();
System.getProperty("os.name").toLowerCase();
Please see the output of test.php for details.
It is also possible to adjust the php_exec setting (see
WEB-INF/web.xml), for example:
<param-name>php_exec</param-name>
<param-value>/usr/local/bin/php-cgi</param-value>
or
<param-name>php_exec</param-name>
<param-value>c:/PHP/php-cgi.exe</param-value>
In case your application server denies calling the CGI binary,
either start apache or IIS or start a fast CGI server on port 9667
as a separate process, for example from a service script.
On Unix the bridge uses named pipes. On Windows, where standard
named pipes are not available, the bridge uses TCP sockets. If your
application server denies socket accept/resolve, please either run the
AS on a Unix operating system or add the following lines to your AS
policy file (for example ...\domains\domain1\config\server.policy):
grant {
permission java.net.SocketPermission "*", "accept,resolve";
};
------------------------------------
Loading on-demand with dl()
---------------------------
It is possible to load the bridge for each new request, for example
with:
<?php
if (!extension_loaded('java')) {
if (!dl("java.so")) {
exit(1);
}
}
phpinfo();
?>
However, this feature is meant for testing, only. For a production
system it is recommended to compile PHP in safe mode (which switches
off the dl() function) and to activate all modules in the global
PHP ini file.
------------------------------------
Recognized CFLAGS
-----------------
During compilation you can use the following CFLAGS.
* -DJAVA_COMPILE_DEBUG: Enables the assert() statement and other
debug code.
* -DJAVA_COMPILE_DEBUG -O0 -g3: Include full debug information into
the binary.
* -m64: Build 64 bit code. Required if you run a 64 bit JVM.
* -m32: Build 32 bit code. Required if you run a 32 bit JVM on a 64
bit system.
* -DCFG_JAVA_SOCKET_INET: Disables local ("unix domain") sockets on
systems which support them.
Example: make CFLAGS="-O0 -g3"
------------------------------------
Log levels
----------
You can set the java.log_level to 6 values:
0: Log nothing, not even fatal errors.
1: Log fatal system errors such as "out of memory error".
2: Log java exceptions.
3: Log verbose, e.g.: "loading jar xyz.jar from http://xy.com"
4: Log debug messages, including the c/s communication protocol.
5: Log method invocations.
The default log level is 2. If java.log_level is missing, the
back-end uses the "default" log level supplied when the back-end was
started (the second argument after java -jar JavaBridge.jar ...).
---------------------------------------------
GCJ/GNU Java issues
-------------------
Running the PHP/Java Bridge under GCJ ("GNU Java") is supported on Linux
and Solaris only. If you run FreeBSD 5.3, please use Sun, Blackdown
or IBM java instead.
------------------------------------
Security Enhanced Linux
-----------------------
SELinux is an implementation of a flexible and fine-grained
mandatory access control architecture implemented in the Linux kernel.
A system component running on a SELinux kernel must declare
exactly a) which resources of the operating system it needs in order
to function properly and b) what it provides to other components.
The PHP/Java Bridge distribution contains two policy files,
"php-java-bridge.te" and "php-java-bridge.fc". The
"php-java-bridge.te" declares the javabridge_t domain and the
resources it requires. httpd and user domains are granted connect,
read and write to the PHP/Java Bridge server socket, which is
"@var/run/.php-java-bridge_socket" in the Linux abstract name-space,
and file create/read/write in the tmp_t. Everything else (connections
to other servers, file access, ...) is currently denied.
The "php-java-bridge.fc" contains the file contexts for the PHP/Java
Bridge and the log.
Installation instructions for RHEL 4 and Fedora Core 4:
-------------------------------------------------------
1. Install selinux-policy-targeted-sources-*.rpm, for example with
the command:
rpm -i selinux-policy-targeted-sources-1.17.30-2.19.noarch.rpm
2. Update the policy files with the PHP/Java Bridge policy:
su -c "sh security/update_policy.sh /etc/selinux/targeted/src/policy"
Installation instructions for RHEL 5, Fedora Core 5 or above:
-------------------------------------------------------------
1. Create the binary policy with the command:
cd security/module; make
2. Inject the rules into the kernel, either the php-java-bridge-tomcat.pp
or the php-java-bridge.pp. For example:
semodule -i php-java-bridge.pp
3. The rules apply to the javabridge_t domain. Another rule
specifies that when an executable is called from the initrc_t domain
and the executable is tagged as javabridge_exec_t, a domain transition
to javabridge_t occurs. It is therefore important that RunJavaBridge
is tagged with javabridge_exec_t and that it is called from the
initrc_t domain:
chcon -t javabridge_exec_t /usr/lib/php/modules/RunJavaBridge
chcon -t initrc_exec_t /etc/init.d/php-java-bridge
4. The policy module can be removed with the command:
semodule -r javabridge
If the default policy is too restrictive and e.g. you want to use
the PHP/Java Bridge to connect to your J2EE server, you can
temporarily set the policy to "permissive", for example with the
command "setenforce Permissive". Connect to the server, then extract
the permissions from the audit log, for example with the command
"audit2allow -l -i /var/log/audit/audit.log", then append them at the
end of the "php-java-bridge.te" file and load the updated policy into
the kernel. Don't forget to switch back, for example with "setenforce
Enforcing".
[note: SERVICE] A domain transition occurs only if the RunJavaBridge
executable is called from the initrc_t domain. If you want to start
the /usr/sbin/php-java-bridge script manually, use runcon or newrole:
su - # become super user
newrole -t initrc_t # change domain
kill `cat /var/run/php-java-bridge.pid` # kill old executable
/usr/sbin/php-java-bridge # start new back-end
Please note that SEL security is orthogonal to the standard Unix
security. For example you could also put the java process into
a "jail"; set up a user account with restricted rights, change the
owner of RunJavaBridge and set the SUID bit:
chown apache:apache /usr/lib/php/modules/RunJavaBridge
chmod 6111 /usr/lib/php/modules/RunJavaBridge
The java process would run with the limited rights of apache *and* be
protected by the SEL policy.
------------------------------------
Security issues
---------------
The bridge uses abstract local sockets, named pipes (located in
/dev/shm/ or /tmp/) or local TCP sockets as communication channels.
It is recommended to use the local back-end on a Unix machine which
supports abstract local ("unix domain") sockets or named pipes. On
these systems the communication channel is not visible and cannot be
attacked. If you are running a Security Enhanced Linux kernel, which
is standard since RHEL4 or FC3, the back-end is also protected by the
SEL policy. The servlet back-end uses a HTTP tunnel to execute one
statement and then switches to named pipes for the rest of the
communication.
On other systems, such as Windows and Mac OSX, the bridge opens a
local TCP port on 9167 (MonoBridge.exe) or 9267 (JavaBridge.jar), 9567
(JavaBridge.war) or 9667 (FastCGI). Please make sure that the ports in
the range [9167, ..., 9667] cannot be accessed from the interned.
------------------------------------
Loading user classes and libraries
----------------------------------
Although it is possible to manipulate the java.classpath to direct
java to individual classes, this "feature" should not be used.
Pure java libraries (or shared libraries under GNU Java "gcj") should be
stored in one of the system directories, either /usr/share/java (or one of
its sub-directories) or java.libpath/lib (or one of its sub-directories)
or WEB-INF/lib (when the back-end is deployed as a web application) and
they shall have the following name: <name>-<version>.jar. For example:
/usr/share/java/batStore/batStore-1.0.jar.
The global repository /usr/share/java should be used if the library
is for general interest, otherwise the java.libpath/lib repository may
be used. Please look up the java.libpath from the output
of the test.php or from phpinfo().
When Security Enhanced Linux is configured to allow the PHP/Java
Bridge to make HTTP URL connections to different servers or if
Security Enhanced Linux is switched off in the Linux kernel, java
libraries may also be loaded from HTTP URLs.
Java libraries can be created from .class files with the following
command:
jar cvf myLibrary-0.1.jar *.class
The libraries can be linked into the PHP files at run-time with the
command:
java_require("<library1>;<libraryN>");
Note that <library> can also be a directory containing either .class
or .jar files.
For example:
<?php
// process order
java_require("j2ee.jar;batStore/batStore-1.0.jar");
order(...);
?>
Minor upgrades can be installed at run-time. When the dynamic loader
detects that the time stamp of the .jar file has changed, it
automatically loads the new version.
Note that the dynamic loader can only load pure java libraries,
unless GNU Java is used. Java libraries which use the java native
interface ("JNI") must be placed in /usr/java/packages/lib/ext/ (if JDK
1.6 or higher is used) or hard-coded via java.classpath. The JNI
libraries themselves can be installed in java.libpath.
------------------------------------
Sun java platform issues
------------------------
The sun java platform does not support java "modules". This causes
certain problems when running java programs. When you compile a class
foo which references a class bar and ship the class foo without
providing bar, the sun java platform will not complain unless the user
accidentally calls a method which references the non-existing class. If
this happens, a "NoClassDefFound" error is thrown. This error may
not(!) indicate which class is missing and it certainly does not
indicate which external library is missing. The tests.php4 folder
contains two tests, noClassDefFound.php and noClassDefFound2.php which
demonstrate this.
To avoid this problem please document *exactly* (including the
version number) which external libraries (.jar files) your software
needs. If you have written software where certain methods require an
optional library, please document this in the method header.
------------------------------------
PHP 5 issues
------------
All PHP 5 versions < 5.0.4 crash when the dl() function is
used. They first unload the module and then try to invoke its
shutdown method.
If you use one of these versions, please add an entry to the
php.ini, see install instructions above.
------------------------------------
UTF-8
-----
Since PHP does not support Unicode, the PHP/Java Bridge uses UTF-8 to
convert characters into the host representation. All strings are
created with new String(..., "UTF-8") and all internal String->byte[]
conversions use getBytes("UTF-8").
If you have old PHP files which are not UTF-8 encoded, you can
change the default encoding with java_set_file_encoding(). For
example:
java_set_file_encoding("ISO-8859-1");
For a list of available encodings please see the documentation of
the JVM's file.encoding system property.
The java_set_file_encoding() primitive only affects java.lang.String
creation and internal conversions, it does not alter the JVM's
file.encoding system property nor does it change the behaviour of
methods which use the file.encoding property, getBytes() for
example. If you use:
$str=new Java ("java.lang.String", "Cześć! -- שלום -- Gr");
echo $str->getBytes();
the output conversion depends on the file.encoding system property
which in turn depends on the process' LANG environment variable. You
can check the file.encoding with the test.php script, see above.
To be portable please do not use conversions which depend on the
JVM's file.encoding. They are easy to avoid, the above example
should be written as:
$str=new Java ("java.lang.String", "Cześć! -- שלום -- Gr");
echo (string)$str; // in PHP5 or higher
echo $str->toString(); // in PHP4
------------------------------------
Mailing List
------------
Please report bugs/problems to the mailing list:
php-java-bridge-users@lists.sourceforge.net
