RMI: remote call or local call

B

Buu Nguyen

Hi everyone,

I have a RMI application in which data must be secured. I do as
follow: the first time a client connect a server, it receives a unique
key which serves as an identifier, which is to be passed into every
remote call to server, so that the server can distinguish it against
other clients and give it approriate permissions. Great, rite! The
problem is that if the call is not remote, i.e. server object call
each other then I have to pass a fake key (as it is a server object,
not client thus have no key) and the security is checked on that fake
key! I want to know if there is anyway to distinguish whether the
current method is called by client object or other server object.

Thanks for any suggestions!

Nguyen
 
N

Nigel Wade

Hi everyone,

I have a RMI application in which data must be secured. I do as
follow: the first time a client connect a server, it receives a unique
key which serves as an identifier, which is to be passed into every
remote call to server, so that the server can distinguish it against
other clients and give it approriate permissions. Great, rite! The
problem is that if the call is not remote, i.e. server object call
each other then I have to pass a fake key (as it is a server object,
not client thus have no key) and the security is checked on that fake
key! I want to know if there is anyway to distinguish whether the
current method is called by client object or other server object.

Why not have the server register in the same (or similar) way as the
clients, and receive a valid key? Also, the server should listen on the
loopback address (127.0.0.1) it can connect to itself using that, then you
can verify that the calling host is 127.0.0.1. Or, you could provide
an alternative registration call for the server which ignored any host
other than 127.0.0.1.
 
E

Esmond Pitt

Just call RemoteServer.clientHost(). If it returns, the call is remote;
if it throws an exception, it is a local call.
 
B

Buu Nguyen

Thanks guys, though I still have some issues:

Nigel, checking by IP is not secured as I am afraid (but not sure!!!)
that malicious client can fake the IP, say to be 127.0.0.1, and then
act as server object.

Esmond, I have searched the API and found no such method? the
RemoteServer only exposes method like getClientHost() which return the
IP of the calling host.

Thanks!
 
N

Nigel Wade

Thanks guys, though I still have some issues:

Nigel, checking by IP is not secured as I am afraid (but not sure!!!)
that malicious client can fake the IP, say to be 127.0.0.1, and then
act as server object.

Whilst it's remotely possible that your server *might* receive
a packet from another system with the source IP set to 127.0.0.1 the
reply should never get back to it unless your routing table is severely
broken. Thus it would be impossible to establish a TCP connection (which
requires a 3-way handshake).
 
E

Esmond Pitt

Buu said:
Esmond, I have searched the API and found no such method? the
RemoteServer only exposes method like getClientHost() which return the
IP of the calling host.

Yes, that's the one I meant.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top