Writing secure java code with RMI

Posted by jtnire on Stack Overflow See other posts from Stack Overflow or by jtnire
Published on 2010-05-19T22:01:24Z Indexed on 2010/05/19 22:10 UTC
Read the original article Hit count: 280

Filed under:

java

|

rmi

Hi Everyone,

This may seem like a very broad question, but any help is appreciated.

I have a client/server solution written in java which uses the Cajo project (which uses RMI). I just want to try and make my solution as secure as possible, given the sensitive data that will be transferred between server and client.

So far, my ideas are to make all my classes "final" as well as throw a "non-serializable" exception for all my classes in the server (except for the object bound in the RMI registry, and any objects that actually do need to be transferred of course).

Can anyone think of any other ideas?

I know that someone could write a malicious client - this isn't hard to do as you can find out the remote object's API using reflection. However is there anything I can do to protect a malicious client access classes/objects within the server that they are not supposed to access?

Many Thanks

© Stack Overflow or respective owner

Related posts about java

Tomcat 6: Access Control Exception?

as seen on Server Fault - Search for 'Server Fault'
I'm trying to setup a tomcat6 server, and I'm trying to match another setup someone else established. However, my deployment (default Ubuntu install) uses a policy.d/ directory structure, and the established server just uses a catalina.policy file. I've tried setting every entry in policy.d to match… >>> More
Problem in creation MDB Queue connection at Jboss StartUp

as seen on Stack Overflow - Search for 'Stack Overflow'
I am not able to create a Queue connection in JBOSS4.2.3GA Version & Java1.5, as I am using MDB as per the below details. I am putting this MDB in a jar file(named utsJar.jar) and copied it in deploy folder of JBOSS, In the test env. this MDB works well but in another env. [ env settings and… >>> More
failing to establish connection between Postgres db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am using Postgres and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When I try to connect it gives "ClassNotFoundException". Here is what I get when I try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
failing to establish connection between postgre db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, For i am using postgre and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When i try to connect it gives "ClassNotFoundException". Here is what i get when i try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
Migration and deployement problems JBoss 4.2.2.GA to JBoss 6.0.0.M2

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm trying to migrate an application running on JBoss 4.2.2.GA to JBoss 6.0.0.M2 I give you some log to explain my problem : boot.log : 2010-03-16 09:59:29,406 ERROR [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (Thread-2) Failed to load profile: Summary of incomplete deployments… >>> More

Related posts about rmi

java RMI newbie-- some basic questions about SSL and auth/.rate limiting an RMI service

as seen on Stack Overflow - Search for 'Stack Overflow'
I am trying to work to secure a java based RMI service using SSL. I have some basic questions about the capabilities of using SSL. Specifically, from what I understand, the client and server connecting via SSL will need to have appropriate credential certificates in both client and server, for a… >>> More
RMI on client side generating exception when getting a reference to the RMI server

as seen on Stack Overflow - Search for 'Stack Overflow'
When I try to run an RMI client after running the RMI server I get the following exception: EncodeInterface exception: java.lang.ClassCastException: $Proxy30 cannot be cast to hw2.chat.backend.main.EncodeInterface java.lang.ClassCastException: $Proxy30 cannot be cast to hw2.chat.backend.main.EncodeInterface at… >>> More
java.rmi.UnmarshalException: unable to pull client classes by server

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I have an RMI client/server set-up on two machines that works fine in a simple situation when the server doesn't require a client-side defned class. However, when I need to use a class defined on the client side I am unable to have the server unmarshall those classes. I suspect this is an issue… >>> More
problem in start up my RMI server(under ISP) so that it can recieve remote calls over Internet.--Jav

as seen on Stack Overflow - Search for 'Stack Overflow'
i m creating a Client/Server application in which my server and client can be on the same or on different machines but both are under ISP. My RMI programs:- -Remote Intreface:- //Calculator.java public interface Calculator extends java.rmi.Remote { public long add(long a, long b) … >>> More
Java RMI (Server: TCP Connection Idle/Client: Unmarshalexception (EOFException))

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to implement Sun Tutorials RMI application that calculates Pi. I'm having some serious problems and I cant find the solution eventhough I've been searching the entire web and several javaskilled people. I'm hoping you can put an end to my frustrations. The crazy thing is that I can run… >>> More