Solved

Java RMI and security

Posted on 1998-07-02
3
418 Views
Last Modified: 2013-12-22
I am writing a client/server application in Java with RMI as the communication method. Could you give me some ideas or references on implementing a secure connection between client/and server. At the minimum I need an authentication of the client logging in into the server, where the server has the password file (and I do not want to send a password accross the network). So how do you implement authentication in java?

And it is desirable to encrypt all the information exchanged between the client and the server.  I understand that java.security package provides means to do that but I would like to do as little as possible at the application layer.

Since RMI makes the details of network communications invisible to the user one would think that encrypting and decrypting data should also be implemented in that network layer (similarly to how it is done in SSL where security is built into the protocol and is not maintaned on the application layer). So are there any RMI varieties which provide secure data exchange?
0
Comment
Question by:msmolyak
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
fontaine earned 50 total points
ID: 1224507
You can do RMI over SSL like this:

import java.io.*;
import java.net.*;
import java.rmi.server.*;

public class SSLRMISocketFactory extends RMISocketFactory {

    public Socket createSocket(String host, int port) throws IOException {
        return new SSLSocket(host, port);
    }

    public ServerSocket createServerSocket(int port) throws IOException {
        return new SSLServerSocket(port);
    }

 }

where SSLSocket and SSLServerSocket are SSL socket and server socket classes that
several companies have developed. Take a look at:

http://www.phaos.com
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/isasilk.htm

Now in your app., you write:

try {
       RMISocketFactory.setSocketFactory(new SSLRMISocketFactory());
} catch (IOException ex) {
       ex.printStackTrace();
}

in order to set RMI up to use the SSL sockets.

With JDK < 1.2, as there is no custom socket type, one RMISocketFactory is set for the entire Java VM and all objects must communicate using SSL sockets.  With JDK 1.2, this is no
more true.

The following pages are from SUN:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html

Example Using RMI with Phaos' SSLava:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/PhaosExample.html
0
 
LVL 5

Author Comment

by:msmolyak
ID: 1224508
Thanks for an answer!

Several additional questions if you don't mind.

1. Do I need to install any software on the client and/or server side to use the SSL sockets you described above (besides Java class libraries implmeneting them)?

2. Will SSL sockets be part of JDK 1.2 or the new version of JDK simply allows more flexibility in deciding which sockects to use?

3. Why would I need that flexibility? What's wrong with using SSL socets throughout my application?
0
 
LVL 5

Expert Comment

by:fontaine
ID: 1224509
I never did RMI over SSL myself, but from what I read:

For (1), provided that the classes are 100% Java, I don't think there is something special
to install. Some implementations use JNI. In this case, you need the install the dll.

For (2), from what I understand, JDK 1.2 only provides the ability to use custom socket
types but do not provide other socket types than what currently exists.

For (3), currently, if you use SSL sockets, all the communications will have to use SSL. I
suppose that the major disadvantage to this is performance. If you already bought something
on the Net on a site using SSL, you already remarked that the performances of that part
of the site were very poor.

I think that one of the problems with SSL sockets is the cost of the 100% Java libraries.
In that aspect, I already tried to use https URL from withing an applet with N4.0 and IE 4.0
and I didn't get a MalformedURLException (I didn't try a real connection as I don't have a
Web server understanding https by hand). This protocol seems then to be understood by
these browsers. That's good to know if you have heavy cost contraints on your project.

Good luck,
Bertrand Fontaine
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Receive file in Servlet 1 36
factorial example challenge 10 62
computer science syllabus 3 52
Eclipse Neon and jdk 1.8.0 11 72
Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now