Must a security manager be installed on the client side even if the downloaded code consists of RMI stubs only?

Avi Kak

Sun's RMI "getting started" guide:

http://java.sun.com/products/jdk/1.2/docs/guide/rmi/getstart.doc.html

contains the following statement on page 6:

"A security manager is required in any JVM that needs to download code, and RMI clients need to download RMI stubs (as well as custom classes or interfaces needed to communicate with the RMI server)."

The quoted statement from the cited document is misleading. If the downloaded code on the client side consists of RMI stubs only, a security manager is not needed at all. In most RMI applications, the only reason for installing a security manager on the client side is to enable dynamic loading of classes by a client (and to then subject these classes to certain security restrictions).

There is a distinction to be made between a client's loading of RMI stubs from a server and a client's dynamic loading of other classes and interfaces. The stubs are transported over the TCP link that comes into existence when an exported remote server object receives a socket number from a client that has invoked the Naming.lookup() method for obtaining a reference to the server object from the server registry.

On the other hand, dynamic loading of classes and interfaces by a client takes place over another link, typically through the http service provided by a server. It is the code that is transported over the latter link that is subject to the security restrictions of the installed security manager.

The following example illustrates the fact that no security manager need be installed in an RMI application anywhere if there is no dynamic loading of code by a client. The sayHello() method of the remote object on the server returns two different kinds of greetings, depending on whether the client invokes the sayHello() method with a Male argument or a Female argument.


/////  server and client file: Hello.java  //////

import java.rmi.*;

public interface Hello extends Remote {
    public String sayHello( Object obj ) throws RemoteException;
}



/////  server and client file: Male.java    //////

import java.io.*;

public class Male implements Serializable { }



/////  server and client file: Female.java   /////

import java.io.*;

public class Female implements Serializable { }



////////    server file: HelloImpl.java   ////////

import java.rmi.*;
import java.rmi.server.*;
import java.net.*;


public class HelloImpl extends UnicastRemoteObject implements Hello {

  public HelloImpl() throws RemoteException {}

  public String sayHello( Object obj ) 
  {
    String returnString = null;
    Male m = null;
    Female f =  null;

    String hostname =  null;
    try {
      hostname = InetAddress.getLocalHost().getHostName();
    }  catch( java.net.UnknownHostException un ) {}

    try {
      m = (Male) obj;
    } catch( Exception e ) {}
    if ( m != null )
      returnString = "Good Day, Sir! Hello from Avi Kak at " + hostname;
    else {
      try {
        f = (Female) obj;
      } catch( Exception e ) {}
      if ( f != null )
        returnString = "Good Day, Madam! Hello from Avi Kak at " + hostname;
    }
    return returnString;
  }
}



///////////  server file: HelloServer.java   ////////////

import java.rmi.*;
import java.rmi.server.*;
import java.rmi.registry.*;

public class HelloServer {
  public static void main( String[]  args )
  {
    try {
      LocateRegistry.createRegistry( 1099 );        
      HelloImpl helloserver = new HelloImpl();
      Naming.rebind( "rmi://localhost/HelloServer", helloserver );
    } catch( Exception e ) { e.printStackTrace(); }
  }
}



/////////  server file: runserver.sh  ////////////

java  -Djava.rmi.server.logCalls=true  HelloServer



//////   client file: HelloClient.java  ///////

import java.rmi.*;

public class HelloClient {
  public static void main( String[] args )
  {
    try {
      Hello server = ( Hello ) Naming.lookup( "rmi://RVL4.ecn.purdue.edu/HelloServer" );
      System.out.println( server.sayHello( new Male() ) );
      System.out.println( server.sayHello( new Female() ) );
    } 
    catch( Exception e ) {}
  }
}



////////  client file:  runclient.bat  ///////////

java HelloClient

0 Comments  (click to add your comment)
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

About | Sitemap | Contact