Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Java RMI and security

Posted on 1998-07-02
3
Medium Priority
?
476 Views
Last Modified: 2013-12-22
I am writing a client/server application in Java with RMI as the communication method. Could you give me some ideas or references on implementing a secure connection between client/and server. At the minimum I need an authentication of the client logging in into the server, where the server has the password file (and I do not want to send a password accross the network). So how do you implement authentication in java?

And it is desirable to encrypt all the information exchanged between the client and the server.  I understand that java.security package provides means to do that but I would like to do as little as possible at the application layer.

Since RMI makes the details of network communications invisible to the user one would think that encrypting and decrypting data should also be implemented in that network layer (similarly to how it is done in SSL where security is built into the protocol and is not maintaned on the application layer). So are there any RMI varieties which provide secure data exchange?
0
Comment
Question by:msmolyak
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
fontaine earned 150 total points
ID: 1224507
You can do RMI over SSL like this:

import java.io.*;
import java.net.*;
import java.rmi.server.*;

public class SSLRMISocketFactory extends RMISocketFactory {

    public Socket createSocket(String host, int port) throws IOException {
        return new SSLSocket(host, port);
    }

    public ServerSocket createServerSocket(int port) throws IOException {
        return new SSLServerSocket(port);
    }

 }

where SSLSocket and SSLServerSocket are SSL socket and server socket classes that
several companies have developed. Take a look at:

http://www.phaos.com
http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/isasilk.htm

Now in your app., you write:

try {
       RMISocketFactory.setSocketFactory(new SSLRMISocketFactory());
} catch (IOException ex) {
       ex.printStackTrace();
}

in order to set RMI up to use the SSL sockets.

With JDK < 1.2, as there is no custom socket type, one RMISocketFactory is set for the entire Java VM and all objects must communicate using SSL sockets.  With JDK 1.2, this is no
more true.

The following pages are from SUN:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/SSLInfo.html

Example Using RMI with Phaos' SSLava:
http://java.sun.com/products/jdk/1.2/docs/guide/rmi/PhaosExample.html
0
 
LVL 5

Author Comment

by:msmolyak
ID: 1224508
Thanks for an answer!

Several additional questions if you don't mind.

1. Do I need to install any software on the client and/or server side to use the SSL sockets you described above (besides Java class libraries implmeneting them)?

2. Will SSL sockets be part of JDK 1.2 or the new version of JDK simply allows more flexibility in deciding which sockects to use?

3. Why would I need that flexibility? What's wrong with using SSL socets throughout my application?
0
 
LVL 5

Expert Comment

by:fontaine
ID: 1224509
I never did RMI over SSL myself, but from what I read:

For (1), provided that the classes are 100% Java, I don't think there is something special
to install. Some implementations use JNI. In this case, you need the install the dll.

For (2), from what I understand, JDK 1.2 only provides the ability to use custom socket
types but do not provide other socket types than what currently exists.

For (3), currently, if you use SSL sockets, all the communications will have to use SSL. I
suppose that the major disadvantage to this is performance. If you already bought something
on the Net on a site using SSL, you already remarked that the performances of that part
of the site were very poor.

I think that one of the problems with SSL sockets is the cost of the 100% Java libraries.
In that aspect, I already tried to use https URL from withing an applet with N4.0 and IE 4.0
and I didn't get a MalformedURLException (I didn't try a real connection as I don't have a
Web server understanding https by hand). This protocol seems then to be understood by
these browsers. That's good to know if you have heavy cost contraints on your project.

Good luck,
Bertrand Fontaine
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An old method to applying the Singleton pattern in your Java code is to check if a static instance, defined in the same class that needs to be instantiated once and only once, is null and then create a new instance; otherwise, the pre-existing insta…
INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
Video by: Michael
Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question