Solved

Java RMI and security

Posted on 1998-07-02
3
437 Views
Last Modified: 2013-12-22
I am writing a client/server application in Java with RMI as the communication method. Could you give me some ideas or references on implementing a secure connection between client/and server. At the minimum I need an authentication of the client logging in into the server, where the server has the password file (and I do not want to send a password accross the network). So how do you implement authentication in java?

And it is desirable to encrypt all the information exchanged between the client and the server.  I understand that java.security package provides means to do that but I would like to do as little as possible at the application layer.

Since RMI makes the details of network communications invisible to the user one would think that encrypting and decrypting data should also be implemented in that network layer (similarly to how it is done in SSL where security is built into the protocol and is not maintaned on the application layer). So are there any RMI varieties which provide secure data exchange?
0
Comment
Question by:msmolyak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
fontaine earned 50 total points
ID: 1224507
You can do RMI over SSL like this:

import java.io.*;
import java.net.*;
import java.rmi.server.*;

public class SSLRMISocketFactory extends RMISocketFactory {

    public Socket createSocket(String host, int port) throws IOException {
        return new SSLSocket(host, port);
    }

    public ServerSocket createServerSocket(int port) throws IOException {
        return new SSLServerSocket(port);
    }

 }

where SSLSocket and SSLServerSocket are SSL socket and server socket classes that
several companies have developed. Take a look at:

http://www.phaos.com
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/isasilk.htm

Now in your app., you write:

try {
       RMISocketFactory.setSocketFactory(new SSLRMISocketFactory());
} catch (IOException ex) {
       ex.printStackTrace();
}

in order to set RMI up to use the SSL sockets.

With JDK < 1.2, as there is no custom socket type, one RMISocketFactory is set for the entire Java VM and all objects must communicate using SSL sockets.  With JDK 1.2, this is no
more true.

The following pages are from SUN:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html

Example Using RMI with Phaos' SSLava:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/PhaosExample.html
0
 
LVL 5

Author Comment

by:msmolyak
ID: 1224508
Thanks for an answer!

Several additional questions if you don't mind.

1. Do I need to install any software on the client and/or server side to use the SSL sockets you described above (besides Java class libraries implmeneting them)?

2. Will SSL sockets be part of JDK 1.2 or the new version of JDK simply allows more flexibility in deciding which sockects to use?

3. Why would I need that flexibility? What's wrong with using SSL socets throughout my application?
0
 
LVL 5

Expert Comment

by:fontaine
ID: 1224509
I never did RMI over SSL myself, but from what I read:

For (1), provided that the classes are 100% Java, I don't think there is something special
to install. Some implementations use JNI. In this case, you need the install the dll.

For (2), from what I understand, JDK 1.2 only provides the ability to use custom socket
types but do not provide other socket types than what currently exists.

For (3), currently, if you use SSL sockets, all the communications will have to use SSL. I
suppose that the major disadvantage to this is performance. If you already bought something
on the Net on a site using SSL, you already remarked that the performances of that part
of the site were very poor.

I think that one of the problems with SSL sockets is the cost of the 100% Java libraries.
In that aspect, I already tried to use https URL from withing an applet with N4.0 and IE 4.0
and I didn't get a MalformedURLException (I didn't try a real connection as I don't have a
Web server understanding https by hand). This protocol seems then to be understood by
these browsers. That's good to know if you have heavy cost contraints on your project.

Good luck,
Bertrand Fontaine
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
maven module vs maven project 3 73
ejb stateless example 2 42
Chrome and Firefox Java 5 67
how to debug htl and js pages 8 54
By the end of 1980s, object oriented programming using languages like C++, Simula69 and ObjectPascal gained momentum. It looked like programmers finally found the perfect language. C++ successfully combined the object oriented principles of Simula w…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
This video teaches viewers about errors in exception handling.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question