Personally, I've always preferred to keep my RMI access behind a firewall; where necessary I would expose a web-service API to untrusted clients instead of RMI. I would be concerned with efficiency if encrypting all my RMI traffic. But I can imagine situations you would want to do this.
To secure RMI you need to run it over SSL. A good description of how to do this is given in the "JBoss Administration and Development", for JBoss 2.4.x. Hopefully the JBoss guys will forgive me for copying a snippet here to set you on the right track:
"The JBossSX framework includes implementations of
the java.rmi.server.RMIServerSocketFactory and java.rmi.server.RMIClientSocketFactory
interfaces that enable the use of RMI over SSL encrypted sockets. The implementation
classes are org.jboss.security.ssl.RMISSLServerSocketFactory and
I suggest you buy the book, and check out Chapter 8.
Hope this helps.
thanks alot for your very helpful answere!
We are still evaluating JBoss, but have already purchased the Administration&Development + CMP. I even skimmed both. The CMP docs are very very good. It´s just that the Ad&Dev docs are a bit hard to swallow for me right now, because my EJB/J2EE knowledge is still in it´s very infancy - to say the least (;