Friday, February 18, 2011

Java SFTP server review - current state

The life goes on, the new tasks emerge and new research challenges appear.

This time we got the 'heritage' - strangely coupled old system with unclear signal paths (write/poll filesystem instead of doing a local notification call), weird predicates (the file is considered uploaded as soon as 1 hour passes from the start of the upload) and really bad heterohenous design.

The target of the system is get some files uploaded via SFTP (SSH File Transfer Protocol) protocol and process them with some rules, producing output files and making them accessible via the same SFTP. As most of the system is written in Java, we decided to try find the Java SFTP Server to replace part of the existing system. Good things about such an rearchitecturing:
  • Making signals simple.
  • Having control over filesystem, clients and authentication.
  • Introduce uniform build and deploy procedures for the whole system.
A little trouble is that one should distinguish between SFTP and FPTS (FTP over SSL) protocols, as they are completely different.

Having all that in mind, with the good mood we started our little research. Found out some libraries:
  • Apache Mina SSHD. Sister project of the Apache FtpServer, this one looks really good in terms of the object design and operation. Code is yet a little fresh, but object breakup is really awesome. We collected our server with the Spring beans and that was pretty easy - to replace the key provider, specify key storage, authenticator and more more other things.
    If you don't want to bother configuring it yourself, the factory gives you pretty good result as it is.
    Being a generic SSH server, Apache SSHD is capable of running SCP and SFTP. Unfortunately, SFTP support is now outdated, and supports only the protocol version 3 (current is 5 or 6). :( We could not use it for the project, as for us it is crucial to have WinSCP support in, and that does not work with protocol v3. After asking about new version guys on the mailing list told me that it'd be awesome if someone implemented that. Who knows if I have some free time, why not? :0
    License is strict GPL
  • SshTools is another implementation of the same. Has declared support of the SFTP, SSH and lots of other stuff. Designed pretty good too, has also notion of virtual file system which is very useful if one needs to move storage to DB or process files on the fly. On the other hand, has few documentation and is also licensed under GPL
  • JavaSecureFTPd the project is dead as the stone is. GPL, but no one cares :)
  • J2SSH Maverick commercial; we did not ever try it, but the rumor says it is pretty good. Has all necessary protocol support.
So, for now situation looks following way - if you have a java app and need to embed SFTP server functionality to it, you either need to try SshTools, help Apache SSHD with the new protocol ;) or pay money for the commercial one.

Not yet sure what we stick to...


Anonymous said...

I'd think that Apache Mina SSHD uses the Apache License, not GPL.

Alexander said...

Thanks for the comment; you are right :)

Shelly Towns said...

Great post...I will be bookmarking it for future reference. What is your opinion on SFTP file transfer services? I have been using which I like a lot. Wanted to get your take on it. thx!

Sarah Hill said...

Thanks for the tips Alex. Btw Shelly, I use as well and I find it better than anything I've used in the past. I'd stick with it.

Alexander said...

Hello Shelly! Haven't used blog for a while.

Unfo I don't use any 3rd party services; here at our company we do have our own server storage which is accessible from outside, we use private ftps storage for customers and have it open in the company internal network.