• Post Reply Bookmark Topic Watch Topic
  • New Topic

encrypt an rmi call  RSS feed

 
Bob Pettit
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have this servlet that calls this session bean that is located on a different machine. I know that the call is an RMI call. Does anyone know if the call is encrypted. when I call the session bean method and I pass it an object, can someone, somehow, look into that data. The servlet actually passes credit card information to the session bean which processes the payment. I wanna make sure that the call between the servlet and the session bean is encrypted.

Thanks a lot for your help
 
Nathan Pruett
Bartender
Posts: 4121
IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Calls between servlets and EJBs just use RMI-IIOP, and as far as I know there's no encyption, so it would probably be possible to pull the credit card string out of the serialized object. Instead of encrpyting the entire serialized object, though, why not just encrpyt the credit card string in the servlet and decrpyt it in the bean. (Here's a link to the Java Cryptography Extensions that might help you get started.)
 
Bob Pettit
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wrote the code for the servlet but the session bean that I call is written by the credit card company and I don't think it would be possible to have them change their code.
 
Nathan Pruett
Bartender
Posts: 4121
IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's a problem then... to encrypt anything, both sides are going to have to come to some agreement on how they're going to do it. Even if you write a custom socket factory to encrypt all RMI traffic, or do RMI over HTTPS or something, the other side is going to have to do something to connect up. In the case of using a custom socket factory, they'll need to have a custom server socket factory that matches. In the case of RMI over HTTPS, they'll need a servlet that you'll send your calls to. There are also probably ways to do this depending on the specific app server that the other company is using - but at the least they're still going to need to set it up and give you the property files or whatever else you need to get it to work.
[ May 25, 2005: Message edited by: Nathan Pruett ]
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!