Solved

Java RMI and security

Posted on 1998-07-02
3
430 Views
Last Modified: 2013-12-22
I am writing a client/server application in Java with RMI as the communication method. Could you give me some ideas or references on implementing a secure connection between client/and server. At the minimum I need an authentication of the client logging in into the server, where the server has the password file (and I do not want to send a password accross the network). So how do you implement authentication in java?

And it is desirable to encrypt all the information exchanged between the client and the server.  I understand that java.security package provides means to do that but I would like to do as little as possible at the application layer.

Since RMI makes the details of network communications invisible to the user one would think that encrypting and decrypting data should also be implemented in that network layer (similarly to how it is done in SSL where security is built into the protocol and is not maintaned on the application layer). So are there any RMI varieties which provide secure data exchange?
0
Comment
Question by:msmolyak
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
fontaine earned 50 total points
ID: 1224507
You can do RMI over SSL like this:

import java.io.*;
import java.net.*;
import java.rmi.server.*;

public class SSLRMISocketFactory extends RMISocketFactory {

    public Socket createSocket(String host, int port) throws IOException {
        return new SSLSocket(host, port);
    }

    public ServerSocket createServerSocket(int port) throws IOException {
        return new SSLServerSocket(port);
    }

 }

where SSLSocket and SSLServerSocket are SSL socket and server socket classes that
several companies have developed. Take a look at:

http://www.phaos.com
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/isasilk.htm

Now in your app., you write:

try {
       RMISocketFactory.setSocketFactory(new SSLRMISocketFactory());
} catch (IOException ex) {
       ex.printStackTrace();
}

in order to set RMI up to use the SSL sockets.

With JDK < 1.2, as there is no custom socket type, one RMISocketFactory is set for the entire Java VM and all objects must communicate using SSL sockets.  With JDK 1.2, this is no
more true.

The following pages are from SUN:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html

Example Using RMI with Phaos' SSLava:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/PhaosExample.html
0
 
LVL 5

Author Comment

by:msmolyak
ID: 1224508
Thanks for an answer!

Several additional questions if you don't mind.

1. Do I need to install any software on the client and/or server side to use the SSL sockets you described above (besides Java class libraries implmeneting them)?

2. Will SSL sockets be part of JDK 1.2 or the new version of JDK simply allows more flexibility in deciding which sockects to use?

3. Why would I need that flexibility? What's wrong with using SSL socets throughout my application?
0
 
LVL 5

Expert Comment

by:fontaine
ID: 1224509
I never did RMI over SSL myself, but from what I read:

For (1), provided that the classes are 100% Java, I don't think there is something special
to install. Some implementations use JNI. In this case, you need the install the dll.

For (2), from what I understand, JDK 1.2 only provides the ability to use custom socket
types but do not provide other socket types than what currently exists.

For (3), currently, if you use SSL sockets, all the communications will have to use SSL. I
suppose that the major disadvantage to this is performance. If you already bought something
on the Net on a site using SSL, you already remarked that the performances of that part
of the site were very poor.

I think that one of the problems with SSL sockets is the cost of the 100% Java libraries.
In that aspect, I already tried to use https URL from withing an applet with N4.0 and IE 4.0
and I didn't get a MalformedURLException (I didn't try a real connection as I don't have a
Web server understanding https by hand). This protocol seems then to be understood by
these browsers. That's good to know if you have heavy cost contraints on your project.

Good luck,
Bertrand Fontaine
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
java stored proc example 9 44
jsp login check 12 42
maven disable workspace resolution 1 19
running on tomcat not jboss eap 7.0 3 18
For customizing the look of your lightweight component and making it look opaque like it was made of plastic.  This tip assumes your component to be of rectangular shape and completely opaque.   (CODE)
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question