lundi 18 mai 2015

Java SE/EE: JNDI/RMI security issue

I want to develop the client-server application with authorization and authentication as security is very important for this application. The connection between server and client via RMI. Passwords and login are kept in database and they can be dynamically changed. Because of this I decided to use shiro instead of JAAS as JAAS doesn't support dynamic pass/logins.

Client - java standalone client. For server I choose GlassFish4 (JavaEE). Ok, I connected using SSL to glassfish. But, what confuses me is that on client side I get all jndi registry via initialcontext. It's bad as client gets access to all server jndi when client must have access only to 2-3 EJBs. Having googled I found two ways to protect:

  1. to use mutual ssl certificates authorizations - it's bad as is not dynamic and these certificates expire.
  2. to connect to server using JAAS password/login (I've not tested it on GF4).

However both variants give all jndi to client what is not acceptable. I found another solution - to make custom RMI server on glassfish what gives me lower access to control and more flexibility. However consider the following code from here:

package example.hello;

import java.rmi.registry.Registry;
import java.rmi.registry.LocateRegistry;
import java.rmi.RemoteException;
import java.rmi.server.UnicastRemoteObject;

public class Server implements Hello {

    public Server() {}

    public String sayHello() {
        return "Hello, world!";
    }

    public static void main(String args[]) {

        try {
            Server obj = new Server();
            Hello stub = (Hello) UnicastRemoteObject.exportObject(obj, 0);

            // Bind the remote object's stub in the registry
            Registry registry = LocateRegistry.getRegistry();
            registry.bind("Hello", stub);

            System.err.println("Server ready");
        } catch (Exception e) {
            System.err.println("Server exception: " + e.toString());
            e.printStackTrace();
        }
    }
}

This line Registry registry = LocateRegistry.getRegistry(); confuses me. Because I want to implement this RMI server in glassfish and this registry is global - it's not linked only with MY server implementation. And this means client again gets access to all jndi?

Please correct me if I am wrong and point what direction I should move.

Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)