[HELP] RMI & Java security (too secure!)

[Lorenzo]

[cross-posted on comp.lang.java]
[cross-posted on comp.lang.java.security]

hi you all,
first of all apologies for having cross-posted this message but really
i did not know where to post it. please let me know what ng you
consider the most suitable for the described issue.

i wrote a program made by a client and a server that communicate via
RMI

premise 1) everything has been developed and executed on WinXP
Professional and the following jre

java version "1.4.2_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_02-b03)
Java HotSpot(TM) Client VM (build 1.4.2_02-b03, mixed mode)


premise 2) the registration on the RMI registry is all inside the
program (ie: i don't use rmiregistry app)


here are the two main problems i can't handle:

1 (server unaffected by local server.policy file) - i launch the
server with the following command:

java my.path.server server.properties

problem: wether i specify a proper server.policy with
-Djava.security.policy or i launch only the command above what happens
is that the server FAILS TO REGISTER ON THE RMI REGISTRY IF I DON'T
ADD THE FOLLOWING TWO LINES IN THE /lib/security/java.policy of the
jre.

grant {
permission java.net.SocketPermission "*:1024-65535", "connect,
accept, resolve";
permission java.net.SocketPermission "localhost:1024-65535",
"connect, accept, resolve";
};

question: is it correct or should it work only passing onto it the
ad-hoc server.policy containing the above two lines? what's going on?

anyway, once the server has been correctly registered modifying the
jre java.policy, i start the client

java my.path.client client.properties
-Djava.security.policy=client.policy

and everything works perfectly (on XP professional).


2 (problems with win2k server and win2003 server) - the exact same
thing brought onto the two server machines does not work.

in any case, whatever the security configuration, the client ALWAYS
FAILS TO CONNECT TO THE SERVER with the following exception:

java.rmi.ConnectException: Connection refused to host: 10.0.0.66;
nested exception is: java.net.ConnectException: Connection refused:
connect

differently, if the server is launched on my XP and the client on one
of the two servers, it works.

to sum it up, if the server is on a win server machine in no way can i
connect to it (at least i could not manage to).

is there something to be set properly on those machines?
are the ports above the 1024 in some way locked? (on RMI i use the
4100)

i hope it is all more or less clear enough and (above all) that
someone would be able to help me.

i ran short of ideas.

ciao and have a nice day,
l

 

[perry]

there are two ways to solve this problem...

one is to find a quick fix somewhere off the Internet

the other is to take a day out and spend it with a good book on Java
Security (and then perhaps another on Java RMI)... there are so many
quality books out there, a simple search on amazon or a trip to your
local computer book store is well worth the effort

- perry

[cross-posted on comp.lang.java]
[cross-posted on comp.lang.java.security]

hi you all,
first of all apologies for having cross-posted this message but really
i did not know where to post it. please let me know what ng you
consider the most suitable for the described issue.

i wrote a program made by a client and a server that communicate via
RMI

premise 1) everything has been developed and executed on WinXP
Professional and the following jre

java version "1.4.2_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_02-b03)
Java HotSpot(TM) Client VM (build 1.4.2_02-b03, mixed mode)


premise 2) the registration on the RMI registry is all inside the
program (ie: i don't use rmiregistry app)


here are the two main problems i can't handle:

1 (server unaffected by local server.policy file) - i launch the
server with the following command:

java my.path.server server.properties

problem: wether i specify a proper server.policy with
-Djava.security.policy or i launch only the command above what happens
is that the server FAILS TO REGISTER ON THE RMI REGISTRY IF I DON'T
ADD THE FOLLOWING TWO LINES IN THE /lib/security/java.policy of the
jre.

grant {
permission java.net.SocketPermission "*:1024-65535", "connect,
accept, resolve";
permission java.net.SocketPermission "localhost:1024-65535",
"connect, accept, resolve";
};

question: is it correct or should it work only passing onto it the
ad-hoc server.policy containing the above two lines? what's going on?

anyway, once the server has been correctly registered modifying the
jre java.policy, i start the client

java my.path.client client.properties
-Djava.security.policy=client.policy

and everything works perfectly (on XP professional).


2 (problems with win2k server and win2003 server) - the exact same
thing brought onto the two server machines does not work.

in any case, whatever the security configuration, the client ALWAYS
FAILS TO CONNECT TO THE SERVER with the following exception:

java.rmi.ConnectException: Connection refused to host: 10.0.0.66;
nested exception is: java.net.ConnectException: Connection refused:
connect

differently, if the server is launched on my XP and the client on one
of the two servers, it works.

to sum it up, if the server is on a win server machine in no way can i
connect to it (at least i could not manage to).

is there something to be set properly on those machines?
are the ports above the 1024 in some way locked? (on RMI i use the
4100)

i hope it is all more or less clear enough and (above all) that
someone would be able to help me.

i ran short of ideas.

ciao and have a nice day,
l

 

[Nigel Wade]

[cross-posted on comp.lang.java]
[cross-posted on comp.lang.java.security]

hi you all,
first of all apologies for having cross-posted this message but really
i did not know where to post it. please let me know what ng you
consider the most suitable for the described issue.

i wrote a program made by a client and a server that communicate via
RMI

premise 1) everything has been developed and executed on WinXP
Professional and the following jre

java version "1.4.2_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_02-b03)
Java HotSpot(TM) Client VM (build 1.4.2_02-b03, mixed mode)


premise 2) the registration on the RMI registry is all inside the
program (ie: i don't use rmiregistry app)


here are the two main problems i can't handle:

1 (server unaffected by local server.policy file) - i launch the
server with the following command:

java my.path.server server.properties

problem: wether i specify a proper server.policy with
-Djava.security.policy or i launch only the command above what happens
is that the server FAILS TO REGISTER ON THE RMI REGISTRY IF I DON'T
ADD THE FOLLOWING TWO LINES IN THE /lib/security/java.policy of the
jre.

grant {
permission java.net.SocketPermission "*:1024-65535", "connect,
accept, resolve";
permission java.net.SocketPermission "localhost:1024-65535",
"connect, accept, resolve";
};

question: is it correct or should it work only passing onto it the
ad-hoc server.policy containing the above two lines? what's going on?

anyway, once the server has been correctly registered modifying the
jre java.policy, i start the client

java my.path.client client.properties
-Djava.security.policy=client.policy

and everything works perfectly (on XP professional).


2 (problems with win2k server and win2003 server) - the exact same
thing brought onto the two server machines does not work.

in any case, whatever the security configuration, the client ALWAYS
FAILS TO CONNECT TO THE SERVER with the following exception:

java.rmi.ConnectException: Connection refused to host: 10.0.0.66;
nested exception is: java.net.ConnectException: Connection refused:
connect

I don't think that message has anything to do with Java security. I think
it's caused by TCP/IP failing to connect to the requested port. "Connection
refused" is normally generated when a client attempts to connect to a port
on a server and the server isn't listening on that port. Can you verify that
the RMI server is really up and listening on the port you think it is (I
don't know Windows well enough to suggest any diagnostic tools).

It might also be a firewall getting in the way. Do you have any sort of
firewall protecting the W2k/W3k servers which might be blocking the RMI
registry port?

 

[Lorenzo]

there are two ways to solve this problem...

one is to find a quick fix somewhere off the Internet

the other is to take a day out and spend it with a good book on Java
Security (and then perhaps another on Java RMI)... there are so many
quality books out there, a simple search on amazon or a trip to your
local computer book store is well worth the effort

yes, i've done both things. then i used sysinternals tcpview to find
out it was a matter of domain resolving.

watch out for this.
i learnt that in the java policy file is much better to specify IP
addresses rather than names, they can be resolved differently than you
expect.
was it a known issue?

not it works, even if machines belong to different domains.
thanx for the answer,
l

 

[Nigel Wade]

i used sysinternals tcpview to find
out it was a matter of domain resolving.

watch out for this.
i learnt that in the java policy file is much better to specify IP
addresses rather than names, they can be resolved differently than you
expect.
was it a known issue?

Name resolution is done by the OS, not Java. I would guess the problem is
Active Directory and dynamic DNS.