Securing Java RMI Implementation over SSL for Web Services

B. Soh and U. Hassan (Australia)


Secure Web Services


Java RMI by default does not support authenticated and encrypted transport. That is, objects sent over the network are not encrypted. A firewall can be used to secure a Java RMI application. Here, the firewall must allow access to specifically known ports. That is, these ports cannot be denied access by the firewall. SOCKS provides a partial solution to the use of RMI through firewalls in that it protects outgoing RMI calls, but incoming RMI calls as well as RMI call-backs are not protected. This may be overcome by using bi-directional RMI implementation through the firewalls. However, it requires the use of specific settings that can relax the security or application level proxy servers, thus increasing the administrative overheads. Also, changing the security policy to allow bi directional RMI traffic should only be done with extreme care. A better solution towards securing RMI is by means of supporting authenticated and encrypted transport, so that a network attacker cannot alter data on communication. This can be achieved by running RMI on SSL.

Important Links:

Go Back