2 Replies Latest reply on Aug 22, 2002 9:51 AM by anlei

    How secure is RMI?

    anlei
    anlei Aug 21, 2002 4:06 AM

      Hi,

      I have read a bit about J2EE and am skimmed the JBoss Base Docs, but what I yet have not seen is any mention of how secure (or how to secure) the RMI transport.

      How easy is it for external people who sniff the connection to get information out of the packets sent? Is there a way to encrypt the RMI transport?

      Btw, I am not sure if I use the correct term with RMI. What I mean is the standard transport that I use when two EJB talk with each other or a Java/Swing Client talks to a EJB (which I think is implemented via RMI)

      many thanks in advance and keep up the awesome work,
      Andreas

      • 3562 Views
      • Tags:
        • 1. Re: How secure is RMI?
          kenneth
          kenneth Aug 21, 2002 2:18 PM (in response to anlei)

          Personally, I've always preferred to keep my RMI access behind a firewall; where necessary I would expose a web-service API to untrusted clients instead of RMI. I would be concerned with efficiency if encrypting all my RMI traffic. But I can imagine situations you would want to do this.

          To secure RMI you need to run it over SSL. A good description of how to do this is given in the "JBoss Administration and Development", for JBoss 2.4.x. Hopefully the JBoss guys will forgive me for copying a snippet here to set you on the right track:

          "The JBossSX framework includes implementations of
          the java.rmi.server.RMIServerSocketFactory and java.rmi.server.RMIClientSocketFactory
          interfaces that enable the use of RMI over SSL encrypted sockets. The implementation
          classes are org.jboss.security.ssl.RMISSLServerSocketFactory and
          org.jboss.security.ssl.RMISSLClientSocketFactory respectively."

          I suggest you buy the book, and check out Chapter 8.

          Hope this helps.
          Kenneth

            • Actions
          • 2. Re: How secure is RMI?
            anlei
            anlei Aug 22, 2002 9:51 AM (in response to anlei)

            Hi,

            thanks alot for your very helpful answere!

            We are still evaluating JBoss, but have already purchased the Administration&Development + CMP. I even skimmed both. The CMP docs are very very good. It´s just that the Ad&Dev docs are a bit hard to swallow for me right now, because my EJB/J2EE knowledge is still in it´s very infancy - to say the least (;

            Andreas

              • Actions