This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes Distributed Java and the fly likes Java RMI security on Cloud Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Distributed Java
Bookmark "Java RMI security on Cloud" Watch "Java RMI security on Cloud" New topic
Author

Java RMI security on Cloud

Jo Joy
Greenhorn

Joined: Aug 13, 2009
Posts: 6
So, I am trying to deploy my java application on the Azure cloud. A web application running on one Virtual Machine will be commanding 2 separate java applications deployed on 2 separate VMs through Java RMI.
Is this approach secure by default?
What will I have to make it secure enough? Will a shared key encrypted password validation do?

Thanks in Advance!


"Do not go where the path may lead, go instead where there is no path and leave a trail" - Ralf Waldo Emersson
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41629
    
  55
Security is such a huge topic that it's unlikely that two folks will have the same idea of what "secure enough" means. What's your definition of it?


Ping & DNS - my free Android networking tools app
Jo Joy
Greenhorn

Joined: Aug 13, 2009
Posts: 6
Ulf Dittmer wrote:Security is such a huge topic that it's unlikely that two folks will have the same idea of what "secure enough" means. What's your definition of it?


I agree. So here is my thing. I do not want any external unauthorized sources to issue commands to my RMI server applications which are running on different VMs.
Please let me know how else I can make the question more specific.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41629
    
  55
I think a better approach than to use just a password would be to prevent any client from an IP address other than the two you have from connecting.

Thinking a step further, if you do that, then using a password does not provide much extra security. Because any unauthorized connection coming from an authorized IP would mean that the authorized host has been compromised - in which case the attacker could probably have gotten hold of the jar file with the client code, reverse-engineered the code, and thus extracted the password.

So, if you check the IP, a password doesn't add much. But you should use one :-) And store it in encoded form in the source code, not as cleartext, and not in an extraneous file.
Jo Joy
Greenhorn

Joined: Aug 13, 2009
Posts: 6
Thanks for your input Ulf!
The only concern I have here is when I restrict the IPs, I would not be sure if the IPs were never meant to change. If it changes for some reason, my commands will stop working. Moreover, I will be taking up the job of a firewall inside my application. I do not know how acceptable this approach would be in my enterprise.
Does this mean that RMI does not have any inherent security implementations that I can leverage?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41629
    
  55
Server IPs generally don't change; I wouldn't be concerned about that.

Application security is NOT the job of the firewall, it is the job of the application. Defense in depth is what you should implement. If there are further restrictions you can apply at the firewall - so much the better.

RMI does not have any of this stuff built in. But both IP checking and password checking are easy to implement at the application level.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Java RMI security on Cloud