Security from Downloaded Code
RMI allows a client to download the stub and other classes from a specified URL at runtime. With this comes the burden of protecting the client program from potentially dangerous code, for the code downloaded from unknown locations cannot be completely trusted. To illustrate class downloading from a URL we place the archive files server_stub.jar and common.jar on a Web server. Let us assume that their respective URLs are:
http://www.pankaj-k.net/jsbook/ch8/server_stub.jar
http://www.pankaj-k.net/jsbook/ch8/common.jar
In fact, these are valid URLs and you can use them in your experimentation.
As in the earlier section, we need three command shell windows to run the application. Run the rmiregistry in the first window, this time without setting the CLASSPATH.
C:ch8ex2>set CLASSPATH= C:ch8ex2>rmiregistry
Run the server program in the second window, specifying the jar file URLs as space separated list value of the system property java.rmi.server.codebase.
C:ch8ex2>java -Djava.rmi.server.codebase="http://www.pankaj-k.net /jsbook/ch8/server_stub.jar http://www.pankaj-k.net/jsbook/ch8 /common.jar" -cp server.jar;common.jar server.RemoteBankServer RemoteBank Server ready.
Remember to remove backslash character at the end of each line in the actual command.
Finally, run the client program.
C:ch8ex2>java -cp client.jar;common.jar client.RMIBCShell localhost Exception in thread "main" java.rmi.UnmarshalException: error unmarshalling return; nested exception is: java.lang.ClassNotFoundException: server.RemoteBankImpl_Stub (no security manager: RMI class loader disabled) ... more output omitted ...
What is happening here? The client program cannot download the stub classes because there is no security manager configured for it. We have covered Java security manager in Chapter 5, Access Control. In brief when enabled, it allows the code to perform only those operations that are permitted by the policy files in effect. This amounts to the Java applet level of permission and is quite restrictive.
You must have the security manager enabled before the client can download the jar files having the stub classes. This behavior protects the client program from running unknown code with complete access to the client machine. Enabling the security manager forces the user to think about the existence of downloaded code and the need to protect the local resources from the downloaded code. Of course, just enabling the security manager is not sufficient. You also need to have a policy file with appropriate permissions for the local class files and the downloaded class files. The policy file rmi.policy, shown in Listing 8-6, will suffice for the current application.
Listing 8-6. Policy file for the Sample Application Client program
// file: rmi.polcy
grant codeBase "file:${user.dir}${/}*" {
permission java.net.SocketPermission
"localhost:1099", "connect, resolve";
permission java.net.SocketPermission
"www.pankaj-k.net:80", "connect, resolve";
permission java.net.SocketPermission
"192.168.1.100:1024-", "connect, resolve";
};
grant codeBase "http://www.pankaj-k.net/-" {
permission java.net.SocketPermission
"192.168.1.100:1024-", "connect, resolve";
};
|
The first grant entry allows the local code to establish socket connections to the RMI Registry on the localhost, to the Web server on www.pankaj-k.net and to the server program on machine with IP address 192.168.1.100. In our test setup, this is the IP address assigned to the machine running these programs. You should modify it for your own setup. The second grant entry allows code downloaded from www.pankaj-k.net to connect to the server program.
Let us now run the client with the file rmi.policy as the policy file.
C:ch8ex1>java -Djava.security.manager -Djava.security.policy=rmi.policy -cp client.jar;common.jar client.RMIBCShell localhost rbcsh>open 10.00 Account Opened: 1000
As you can see, everything is fine now. You can go ahead and perform other transactions.
In our RMI sample application, only the client program runs downloaded stub classes. In a general case, every RMI program may need to download code and run with a security manager enabled and with an appropriate policy file.