java - Writing a secure RMI server-client application -


i'm writing server-client application communication done on internet , have several questions , concerns regarding security. have done research , found posts here useful, more information. related questions read were:

secure authentication of client on rmi

java rmi authentication & security. exportobject makes public?

is communication in java rmi secure?

i have 3 parts consider:

  1. information exchanged between client , server.
  2. authentication of client.
  3. exploiting running rmi server (hacking etc.).

what know:

  1. rmi on ssl. using ssl sockets instead of default socket encrypt information passed between client , server. includes objects exchange , method calls.
  2. authentication using username/password combination on ssl before rmi connection has been established. understanding there supposed way authenticate inside rmi connection voted down.
  3. not sure can or needs done here. know can't write own client , ask connect server since need objectid , remote interfaces. however, not possible decompile classes \ interfaces need since sent in rmi anyway? saw youtube video [http://www.youtube.com/watch?v=otjllnabxiw] while researching , got me worried how easy is, although don't know if server not setup correctly.

all in all, there other security issues need consider in rmi on internet? missing solution need at? know wrong?

information exchanged between client , server.

rmi on ssl.

authentication of client.

authentication of client done ssl. mean authorisation, 'relatively' easy. define own rmiserversocketfactory returns serversocket override implaccept() method wraps socket in sslsocket, add handshake listener , set needclientauth true on (and clientmode false). handshake listener should , check client certificate sslsession, see if identity authenticates authorised, , close socket if non-authorised.

authorising server, in client, on other hand baroquely complex. need jeri api in jini properly.

exploiting running rmi server (hacking etc.).

i won't go far it's impossible, it's extremely difficult, , there several strong lines of defence. need objectid, random, , can made securely random, , need classes. classes , interfaces aren't sent in rmi unless enable it, , sent side channel can secure arbitrarily strongly, example two-way-authenticated https. can't those. need authorised, requires compromising server. , if that's possible, is.


Comments

Post a Comment

Popular posts from this blog

android - Get AccessToken using signpost OAuth without opening a browser (Two legged Oauth) -

i using signpost oauth access data magento server. have read various tutorials on same , reach point open browser user can enter credentials. however, per requirement have automate part. hence, user should not browser page. have set-up done on server side ( magento ), hit url , returned call page. same through program in android. i have tried below, consumer = new commonshttpoauthconsumer(key, secret); provider = new commonshttpoauthprovider(oauth_init_url,access_token_url, authorize_url); try { provider.retrieverequesttoken(consumer, oauth.out_of_band); log.d("tokens" , consumer.gettoken() + " -- " + consumer.gettokensecret()); } and request tokens. dont know how bypass next step. tried directly accessing accesstoken (stupid of me) provider.retrieveaccesstoken(consumer, "mycallback://callback"); no luck, ends in oauth.signpost.exception.oauthnotauthorizedexception: authorization failed (server replied 401). ...
Read more

org.mockito.exceptions.misusing.InvalidUseOfMatchersException: mockito -

getting error org.mockito.exceptions.misusing.invaliduseofmatchersexception: invalid use of argument matchers! 1 matchers expected, 2 recorded. exception may occur if matchers combined raw values: //incorrect: somemethod(anyobject(), "raw string"); when using matchers, arguments have provided matchers. example: //correct: somemethod(anyobject(), eq("string matcher")); at when( getprogramservice .callservice(any(getprogramtype.class))) .thenreturn(jaxbresponse); please explain error , possible resolution the code posted looks fine; don't see problem it. code before or above causing exception. key here: invalid use of argument matchers! 1 matchers expected, 2 recorded. any , used above, doesn't return "special kind of null" or "special kind of getprogramtype"; don't exist. instead, returns null , side effect puts matcher on stack. whe...
Read more

google shop client API returns 400 bad request error while adding an item -

i'm working on solution add items in google shopping market java application. following tutorial real mess because of missing classes of laste release, after setting 1.5-beta maven managed make base example typecheck correctly classes. still can make simple task of adding 1 item. instead of posting whole code i'm posting part creates product feed. private product createproduct(string id) { product product = new product(); product.title = "red wool sweater"; product.content = new content( "text", "comfortable , soft, sweater keep warm on " + "cold winter nights. red , blue stripes."); product.appcontrol = new appcontrol(); product.appcontrol.addrequireddestination("productads"); product.externalid = id; product.lang = "it"; product.country = "it"; product.condition = "nuovo"; product.price = new price("eu...
Read more