RMI Security

[Buu Nguyen]

Hi everyone,

Our company is developing a distributed RMI application for a
hospital. In this app, the permissions of accessing remote services
depend on the role of the user. Currently, we are thinking of putting
the security check on the GUI, i.e. if the user cannot perform a
delete action then the delete button is disabled however there are 2
issues regarding this (???):

-We wonder if it is possible for a program to change the state of a
control (i.e. enable a button) of the Java GUI?

-Secondly, what if someone just write another client app, retrieving
the services from the registry and invoke the methods of them?

Are the 2 actions are possible?
-If no, then is it true that we can go on with the client security
check only or there is other threat besides the above?
-If yes, then we have to perform another check on the server-side,
i.e. place in every single remote method a security check against the
user passed in the method as well (as a additional parameter)? Or is
there any better way to do this kind of server check?

We are looking forwards to any ideas and suggestions!

Thank you!

 

[Matt Humphrey]

Hi everyone,

Our company is developing a distributed RMI application for a
hospital. In this app, the permissions of accessing remote services
depend on the role of the user. Currently, we are thinking of putting
the security check on the GUI, i.e. if the user cannot perform a
delete action then the delete button is disabled however there are 2
issues regarding this (???):

-We wonder if it is possible for a program to change the state of a
control (i.e. enable a button) of the Java GUI?

-Secondly, what if someone just write another client app, retrieving
the services from the registry and invoke the methods of them?

This is the key security issue and why you shouldn't rely on the GUI to do
security for you. Anyone that can connect to your server may make up any
data they choose and do whatever they please unless you make the server
perform authentication and permission checking. If security is critical to
your application you're going to have to design a real security presentation
mechanism through your RMI protocol that your GUI can link into it and know
in advance (for the user's sake) what actions are permitted and which are
not. Even if you make this very simple, in the worst case, the user willll
simply get an access violation dialog without causing any damage or
otherwise crashing the program.

Cheers,
Matt Humphrey (e-mail address removed) http://www.iviz.com/

 

[Buu Nguyen]

This is the key security issue and why you shouldn't rely on the GUI to do
security for you. Anyone that can connect to your server may make up any
data they choose and do whatever they please unless you make the server
perform authentication and permission checking. If security is critical to
your application you're going to have to design a real security presentation
mechanism through your RMI protocol that your GUI can link into it and know
in advance (for the user's sake) what actions are permitted and which are
not. Even if you make this very simple, in the worst case, the user willll
simply get an access violation dialog without causing any damage or
otherwise crashing the program.

Cheers,
Matt Humphrey (e-mail address removed) http://www.iviz.com/

Can you suggest a way to do it efficiently? For our case, we're gonna
place an assertion of permission in every remote method call and seem
to be cubersome, thus we expect something like a filter (like one of
the Servlet Container) that can be plugged into RMI to assert
permission of a caller before forward it to the approriate function
call. Is it possible?

 

[Matt Humphrey]

"Matt Humphrey" <[email protected]> wrote in message


Can you suggest a way to do it efficiently? For our case, we're gonna
place an assertion of permission in every remote method call and seem
to be cubersome, thus we expect something like a filter (like one of
the Servlet Container) that can be plugged into RMI to assert
permission of a caller before forward it to the approriate function
call. Is it possible?

I don't regularly work with RMI so I'm not aware of what tools are
available. However, I would find it hard to believe that testing
permissions for every client-to-server method invocation would introduce
more latency than either the network access or the database access. I would
expect access to be managed from a small preocomputed table cached in memory
based on a simple role or set of permissions (or possibly a ticket system
where permissions are computed during sign-on and the user session (on the
client) is given a ticket--long random number that re-indexes the
permissions on the server.. I don't think there's a general design that
could be applied here without knowing the details of your application. At
this point, knowing that you must validate requests on the server should
guide your architecture and design process.

Good luck,
Matt Humphrey (e-mail address removed) http://www.iviz.com/

 

[Buu Nguyen]

Thank you Matt, caching the permission set seems to be a good idea,
compared to relying on the database to perform that.

Again thank you!

Nguyen