RMI: remote call or local call

Discussion in 'Java' started by Buu Nguyen, Sep 9, 2004.

  1. Buu Nguyen

    Buu Nguyen Guest

    Hi everyone,

    I have a RMI application in which data must be secured. I do as
    follow: the first time a client connect a server, it receives a unique
    key which serves as an identifier, which is to be passed into every
    remote call to server, so that the server can distinguish it against
    other clients and give it approriate permissions. Great, rite! The
    problem is that if the call is not remote, i.e. server object call
    each other then I have to pass a fake key (as it is a server object,
    not client thus have no key) and the security is checked on that fake
    key! I want to know if there is anyway to distinguish whether the
    current method is called by client object or other server object.

    Thanks for any suggestions!

    Nguyen
    Buu Nguyen, Sep 9, 2004
    #1
    1. Advertising

  2. Buu Nguyen

    Nigel Wade Guest

    On Thu, 09 Sep 2004 03:51:46 -0700, Buu Nguyen wrote:

    > Hi everyone,
    >
    > I have a RMI application in which data must be secured. I do as
    > follow: the first time a client connect a server, it receives a unique
    > key which serves as an identifier, which is to be passed into every
    > remote call to server, so that the server can distinguish it against
    > other clients and give it approriate permissions. Great, rite! The
    > problem is that if the call is not remote, i.e. server object call
    > each other then I have to pass a fake key (as it is a server object,
    > not client thus have no key) and the security is checked on that fake
    > key! I want to know if there is anyway to distinguish whether the
    > current method is called by client object or other server object.


    Why not have the server register in the same (or similar) way as the
    clients, and receive a valid key? Also, the server should listen on the
    loopback address (127.0.0.1) it can connect to itself using that, then you
    can verify that the calling host is 127.0.0.1. Or, you could provide
    an alternative registration call for the server which ignored any host
    other than 127.0.0.1.

    --
    Nigel Wade, System Administrator, Space Plasma Physics Group,
    University of Leicester, Leicester, LE1 7RH, UK
    E-mail :
    Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
    Nigel Wade, Sep 10, 2004
    #2
    1. Advertising

  3. Buu Nguyen

    Esmond Pitt Guest

    Nigel Wade wrote:
    > On Thu, 09 Sep 2004 03:51:46 -0700, Buu Nguyen wrote:
    >
    >
    >>Hi everyone,
    >>
    >>I have a RMI application in which data must be secured. I do as
    >>follow: the first time a client connect a server, it receives a unique
    >>key which serves as an identifier, which is to be passed into every
    >>remote call to server, so that the server can distinguish it against
    >>other clients and give it approriate permissions. Great, rite! The
    >>problem is that if the call is not remote, i.e. server object call
    >>each other then I have to pass a fake key (as it is a server object,
    >>not client thus have no key) and the security is checked on that fake
    >>key! I want to know if there is anyway to distinguish whether the
    >>current method is called by client object or other server object.


    Just call RemoteServer.clientHost(). If it returns, the call is remote;
    if it throws an exception, it is a local call.
    Esmond Pitt, Sep 13, 2004
    #3
  4. Buu Nguyen

    Buu Nguyen Guest

    Thanks guys, though I still have some issues:

    Nigel, checking by IP is not secured as I am afraid (but not sure!!!)
    that malicious client can fake the IP, say to be 127.0.0.1, and then
    act as server object.

    Esmond, I have searched the API and found no such method? the
    RemoteServer only exposes method like getClientHost() which return the
    IP of the calling host.

    Thanks!
    Buu Nguyen, Sep 14, 2004
    #4
  5. Buu Nguyen

    Nigel Wade Guest

    On Tue, 14 Sep 2004 01:42:10 -0700, Buu Nguyen wrote:

    > Thanks guys, though I still have some issues:
    >
    > Nigel, checking by IP is not secured as I am afraid (but not sure!!!)
    > that malicious client can fake the IP, say to be 127.0.0.1, and then
    > act as server object.


    Whilst it's remotely possible that your server *might* receive
    a packet from another system with the source IP set to 127.0.0.1 the
    reply should never get back to it unless your routing table is severely
    broken. Thus it would be impossible to establish a TCP connection (which
    requires a 3-way handshake).


    --
    Nigel Wade, System Administrator, Space Plasma Physics Group,
    University of Leicester, Leicester, LE1 7RH, UK
    E-mail :
    Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
    Nigel Wade, Sep 14, 2004
    #5
  6. Buu Nguyen

    Esmond Pitt Guest

    Buu Nguyen wrote:
    >
    > Esmond, I have searched the API and found no such method? the
    > RemoteServer only exposes method like getClientHost() which return the
    > IP of the calling host.


    Yes, that's the one I meant.
    Esmond Pitt, Sep 17, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. iksrazal
    Replies:
    0
    Views:
    419
    iksrazal
    Aug 27, 2003
  2. Buu Nguyen

    RMI, JINI or RMI/IIOP

    Buu Nguyen, Aug 25, 2004, in forum: Java
    Replies:
    1
    Views:
    561
    Sudsy
    Aug 25, 2004
  3. JScoobyCed

    RMI Vs RMI over IIOP

    JScoobyCed, Jan 28, 2005, in forum: Java
    Replies:
    1
    Views:
    736
    Dag Sunde
    Jan 28, 2005
  4. Jan Schulze
    Replies:
    1
    Views:
    569
    Esmond Pitt
    Mar 26, 2005
  5. davidj411
    Replies:
    7
    Views:
    3,262
    Tim Golden
    Oct 8, 2009
Loading...

Share This Page