• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Java RMI security on Cloud

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So, I am trying to deploy my java application on the Azure cloud. A web application running on one Virtual Machine will be commanding 2 separate java applications deployed on 2 separate VMs through Java RMI.
Is this approach secure by default?
What will I have to make it secure enough? Will a shared key encrypted password validation do?

Thanks in Advance!
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Security is such a huge topic that it's unlikely that two folks will have the same idea of what "secure enough" means. What's your definition of it?
 
Jo Joy
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Security is such a huge topic that it's unlikely that two folks will have the same idea of what "secure enough" means. What's your definition of it?



I agree. So here is my thing. I do not want any external unauthorized sources to issue commands to my RMI server applications which are running on different VMs.
Please let me know how else I can make the question more specific.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think a better approach than to use just a password would be to prevent any client from an IP address other than the two you have from connecting.

Thinking a step further, if you do that, then using a password does not provide much extra security. Because any unauthorized connection coming from an authorized IP would mean that the authorized host has been compromised - in which case the attacker could probably have gotten hold of the jar file with the client code, reverse-engineered the code, and thus extracted the password.

So, if you check the IP, a password doesn't add much. But you should use one :-) And store it in encoded form in the source code, not as cleartext, and not in an extraneous file.
 
Jo Joy
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your input Ulf!
The only concern I have here is when I restrict the IPs, I would not be sure if the IPs were never meant to change. If it changes for some reason, my commands will stop working. Moreover, I will be taking up the job of a firewall inside my application. I do not know how acceptable this approach would be in my enterprise.
Does this mean that RMI does not have any inherent security implementations that I can leverage?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Server IPs generally don't change; I wouldn't be concerned about that.

Application security is NOT the job of the firewall, it is the job of the application. Defense in depth is what you should implement. If there are further restrictions you can apply at the firewall - so much the better.

RMI does not have any of this stuff built in. But both IP checking and password checking are easy to implement at the application level.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic