Summary

RMI is not designed for developing secure distributed programs. RMI offers little by way of client authentication, operation-level authorization, confidentiality, and integrity of messages exchanged. However, there are enough hooks to add security by careful program design and use of other security APIs such as JSSE for message integrity and confidentiality, and JAAS for user authentication and authorization.

RMI offers protection against rogue downloaded code by requiring a security manager. This forces the application deployer to think about limiting the privileges for the downloaded code and assign them appropriate permissions.

SSL can be used to protect the RMI payloads, and optionally authenticate the communicating end-points. RMI base classes do not assume a fixed transport and accept socket factories as constructor arguments. This allows their initialization with SSL socket factories. As a result, the programming changes required to use SSL over TCP as the transport to carry RMI payload are minimal. An interesting aspect is that only the server program needs to be modified to use a custom socket factory.

JAAS can be used for access control in conjunction with RMI but requires significant programming effort. This is best accomplished by using a framework to handle the common behavior. The idea behind such a framework has been presented in this chapter. Because JAAS relies on specifying permission in policy files based on the code location, partitioning classes in different jar files and assigning appropriate permissions can be challenging.