• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

RMI Client authentication

 
Dayashankar Dubey
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on client/server architecture wherein I am using RMI to remotely access the server object. Here I call method(set and get method) on the object which will do database update or insert . Presently RMI does not provide authentication of client so any client who is able to get the stub can call the gettter and setter method. Therefore any client can modify my database.
Can any one tell me how can I avoid this?
Is there any way out to authenticate the client and ensure that only authenticated client calls the RMI Objects.
 
Nathan Pruett
Bartender
Posts: 4121
IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
RMI over SSL? Require clients to "register" with a name and password before calling methods - check in other methods if the client has registered yet or not (using UnicastRemoteObject.getClientHost() to couple a client with a username/password...)?
 
Dayashankar Dubey
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Nathan Pruett:
RMI over SSL? Require clients to "register" with a name and password before calling methods - check in other methods if the client has registered yet or not (using UnicastRemoteObject.getClientHost() to couple a client with a username/password...)?


Suppose i have my client software running on the client machine, and as the stub is downloaded on the cient from server, I can run another software which can even access the stub classes without though having RMI over SSL....Can you tell me how it can be prevented? Since once stub is available on the client machine, any other software can use it to ake a remote method call
 
Nathan Pruett
Bartender
Posts: 4121
IntelliJ IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry - I couldn't understand some of your question...

How can "another software access stub classes"? It sounds like you are dynamically downloading stubs from the server - how is this "other" getting the stub classes?

"without though having RMI over SSL" does this mean that you aren't using RMI over SSL? Or that RMI over SSL isn't preventing "invalid" clients from making calls on the stubs?

"Since once stub is available on the client machine, any other software can use it to ake a remote method call" If you are dynamically downloading stubs from the server, the stub "class" should only exist inside the running JVM of the client that downloaded it - it shouldn't create an actual class file on the client or anything.
 
Sergey Ponomarev
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I tried to find some RMI authentification code with no success. So i made small library that allows to perform login/password authentification for rmi connections. It implemets a socket factory which sends and checks login and password on socket creation.

https://code.google.com/p/rmiauth/

I post here beacause it is the 3rd link in google search for "rmi authentification" keywords and i think this could be usefult for other people. Please don't blame me for posting to dead thread.
 
Andrew Monkhouse
author and jackaroo
Marshal Commander
Pie
Posts: 11914
209
C++ Firefox Browser IntelliJ IDE Java Mac Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We actually welcome posts to older threads when they add value, so no problems there. Thanks for letting us know about the library.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic