Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Java RMI and security

Posted on 1998-07-02
3
Medium Priority
?
463 Views
Last Modified: 2013-12-22
I am writing a client/server application in Java with RMI as the communication method. Could you give me some ideas or references on implementing a secure connection between client/and server. At the minimum I need an authentication of the client logging in into the server, where the server has the password file (and I do not want to send a password accross the network). So how do you implement authentication in java?

And it is desirable to encrypt all the information exchanged between the client and the server.  I understand that java.security package provides means to do that but I would like to do as little as possible at the application layer.

Since RMI makes the details of network communications invisible to the user one would think that encrypting and decrypting data should also be implemented in that network layer (similarly to how it is done in SSL where security is built into the protocol and is not maintaned on the application layer). So are there any RMI varieties which provide secure data exchange?
0
Comment
Question by:msmolyak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
fontaine earned 150 total points
ID: 1224507
You can do RMI over SSL like this:

import java.io.*;
import java.net.*;
import java.rmi.server.*;

public class SSLRMISocketFactory extends RMISocketFactory {

    public Socket createSocket(String host, int port) throws IOException {
        return new SSLSocket(host, port);
    }

    public ServerSocket createServerSocket(int port) throws IOException {
        return new SSLServerSocket(port);
    }

 }

where SSLSocket and SSLServerSocket are SSL socket and server socket classes that
several companies have developed. Take a look at:

http://www.phaos.com
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/isasilk.htm

Now in your app., you write:

try {
       RMISocketFactory.setSocketFactory(new SSLRMISocketFactory());
} catch (IOException ex) {
       ex.printStackTrace();
}

in order to set RMI up to use the SSL sockets.

With JDK < 1.2, as there is no custom socket type, one RMISocketFactory is set for the entire Java VM and all objects must communicate using SSL sockets.  With JDK 1.2, this is no
more true.

The following pages are from SUN:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html

Example Using RMI with Phaos' SSLava:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/PhaosExample.html
0
 
LVL 5

Author Comment

by:msmolyak
ID: 1224508
Thanks for an answer!

Several additional questions if you don't mind.

1. Do I need to install any software on the client and/or server side to use the SSL sockets you described above (besides Java class libraries implmeneting them)?

2. Will SSL sockets be part of JDK 1.2 or the new version of JDK simply allows more flexibility in deciding which sockects to use?

3. Why would I need that flexibility? What's wrong with using SSL socets throughout my application?
0
 
LVL 5

Expert Comment

by:fontaine
ID: 1224509
I never did RMI over SSL myself, but from what I read:

For (1), provided that the classes are 100% Java, I don't think there is something special
to install. Some implementations use JNI. In this case, you need the install the dll.

For (2), from what I understand, JDK 1.2 only provides the ability to use custom socket
types but do not provide other socket types than what currently exists.

For (3), currently, if you use SSL sockets, all the communications will have to use SSL. I
suppose that the major disadvantage to this is performance. If you already bought something
on the Net on a site using SSL, you already remarked that the performances of that part
of the site were very poor.

I think that one of the problems with SSL sockets is the cost of the 100% Java libraries.
In that aspect, I already tried to use https URL from withing an applet with N4.0 and IE 4.0
and I didn't get a MalformedURLException (I didn't try a real connection as I don't have a
Web server understanding https by hand). This protocol seems then to be understood by
these browsers. That's good to know if you have heavy cost contraints on your project.

Good luck,
Bertrand Fontaine
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question