38

I have a Java server that opens up a socket using ServerSocket (using Thrift with it). This server has a client on the local machine in Obj-c that communicates with the Java server. Everything happens on localhost. Right now the java server is visible on the network as well, I would like the java server to only be accessible on localhost. Otherwise it is a potential security vulnerability and it freaks users out when their firewall warns them.

I tried creating the server socket using an InetSocketAddress('localhost', 9090) but that seems to have no effect. How can I limit this thing to localhost?

Matt Ronge
  • 381
  • 1
  • 3
  • 3
  • If the server's only accessible on localhost, how will the clients access it? I don't understand the setup. – Kaleb Brasee Feb 05 '10 at 04:41
  • 3
    @Kaleb - quoting the question: "This server has a client on the local machine ... Everything happens on localhost". – Stephen C Feb 05 '10 at 05:05
  • Check this other question and the given answers: [How to determine an incoming connection is from local machine](http://stackoverflow.com/questions/1542424/how-to-determine-an-incoming-connection-is-from-local-machine) – Abel Morelos Feb 05 '10 at 04:53

4 Answers4

44

Taken from another question:

new ServerSocket(9090, 0, InetAddress.getByName(null));

InetAddress.getByName(null) points to the loopback address (127.0.0.1)

And here's the Javadoc where it says that

Community
  • 1
  • 1
Tute
  • 6,943
  • 12
  • 51
  • 61
  • 6
    Tried on android, getByName(null) does not work (can't connect to socket opened this way no matter what). getByname("127.0.0.1") does work, works instantly and is IMHO more readable and 'portable' – Gena Batsyan Jun 03 '13 at 16:43
  • 2
    Just found this. Interesting. And now there's the method `InetAddress.getLoopbackAddress()` – JayC667 Jul 11 '17 at 14:40
  • I tried InetAddress.getLocalHost() but that did not work; no connections were accepted. .getByname("127.0.0.1") worked, though. Weird. – Per Lindberg May 14 '20 at 14:02
28

Let me chime in with an alternative solution which only accepts on loopback device. All the other "localhost" solutions will make Java pick an interface.

new ServerSocket(9090, 0, InetAddress.getLoopbackAddress());

This is available since Java 7, and does not even throw UnknownHostException

MartyIX
  • 27,828
  • 29
  • 136
  • 207
Fabian Lange
  • 1,786
  • 1
  • 14
  • 18
22

Try

new ServerSocket(9090, 0, InetAddress.getByName("localhost"))

The last parameter to the constructor specifies which address to bind the listening socket to.

Geoff Reedy
  • 34,891
  • 3
  • 56
  • 79
  • 6
    +1 - but bear in mind that some machines don't understand "localhost". So using the IP address 127.0.0.1 is probably more robust. – Stephen C Feb 05 '10 at 05:11
  • Is that really how that constructor works? I had posted that suggestion, but after rereading the description, thought that it sounds like that constructor just chooses only one network connection to accept connections on, instead of all of them (if the system has more than one network device). – Kaleb Brasee Feb 05 '10 at 13:38
  • 3
    @Stephen that could cause problems in the future with a host that is primarily IPv6 or even IPv6 only. – Geoff Reedy Feb 05 '10 at 14:22
  • @Kaleb yeah, in principle the localhost address is considered to be a separate network device, usually referred to as the loopback device. – Geoff Reedy Feb 05 '10 at 14:23
  • @Geoff - so either you are screwed because some (real windows) machine does not have a "localhost" entry, or because some (hypothetical) machine is does not support IPv4. – Stephen C Feb 05 '10 at 22:32
  • -1 for believing "localhost" is always mapped to the local machine. – shinkou Feb 08 '10 at 01:49
  • 2
    @shinkou It certainly *should* be, although there have been distributions of major operating systems where it wasn't. I would be downvoting those distributors rather than this answer. – user207421 Mar 09 '13 at 04:19
  • 7
    Why not use InetAddress.getLocalHost()? http://docs.oracle.com/javase/1.4.2/docs/api/java/net/InetAddress.html#getLocalHost() – 1800 INFORMATION Aug 14 '13 at 02:16
  • @1800INFORMATION No, InetAddress.getLocalHost() is not the same as the loopback address. Its the address of the "local host", not "localhost". – Raman Feb 03 '16 at 23:48
4
new ServerSocket(9090, 0, InetAddress.getByName(null));
msrd0
  • 7,816
  • 9
  • 47
  • 82
user207421
  • 305,947
  • 44
  • 307
  • 483