2 Replies Latest reply on Aug 22, 2002 9:51 AM by Andreas Leitner

    How secure is RMI?

    Andreas Leitner Newbie

      Hi,

      I have read a bit about J2EE and am skimmed the JBoss Base Docs, but what I yet have not seen is any mention of how secure (or how to secure) the RMI transport.

      How easy is it for external people who sniff the connection to get information out of the packets sent? Is there a way to encrypt the RMI transport?

      Btw, I am not sure if I use the correct term with RMI. What I mean is the standard transport that I use when two EJB talk with each other or a Java/Swing Client talks to a EJB (which I think is implemented via RMI)

      many thanks in advance and keep up the awesome work,
      Andreas

        • 1. Re: How secure is RMI?
          Kenneth Roper Newbie

          Personally, I've always preferred to keep my RMI access behind a firewall; where necessary I would expose a web-service API to untrusted clients instead of RMI. I would be concerned with efficiency if encrypting all my RMI traffic. But I can imagine situations you would want to do this.

          To secure RMI you need to run it over SSL. A good description of how to do this is given in the "JBoss Administration and Development", for JBoss 2.4.x. Hopefully the JBoss guys will forgive me for copying a snippet here to set you on the right track:

          "The JBossSX framework includes implementations of
          the java.rmi.server.RMIServerSocketFactory and java.rmi.server.RMIClientSocketFactory
          interfaces that enable the use of RMI over SSL encrypted sockets. The implementation
          classes are org.jboss.security.ssl.RMISSLServerSocketFactory and
          org.jboss.security.ssl.RMISSLClientSocketFactory respectively."

          I suggest you buy the book, and check out Chapter 8.

          Hope this helps.
          Kenneth

          • 2. Re: How secure is RMI?
            Andreas Leitner Newbie

            Hi,

            thanks alot for your very helpful answere!

            We are still evaluating JBoss, but have already purchased the Administration&Development + CMP. I even skimmed both. The CMP docs are very very good. It´s just that the Ad&Dev docs are a bit hard to swallow for me right now, because my EJB/J2EE knowledge is still in it´s very infancy - to say the least (;

            Andreas