3

I'm writing a client-server solution which is using Java RMI (Via the Cajo project).

I want to make the server as secure as possible. I understand that by using Java reflection, a malicious client would be able to view all method names and field names inside any given object which has either been bound in the RMI regestry or "proxied" from the server (In Cajo, a proxied item is an object who actually resides on the server but the client can reference it). However, would a malicious client be able to view any program logic, or modify any code on the server? Or what about viewing the actual contents of the fields?

Please assume that physical access to the server is not allowed and the only network access to the server is via the Cajo TCP port (1198).

Thanks

jtnire
  • 1,348
  • 5
  • 21
  • 32

2 Answers2

2

RMI is based on proxy objects and serialisation.

  • Proxy objects: these only contains methods specified in an interface, all other methods and fields of the original Object do not exist within the proxy and can't be accessed via reflection. No attacks are possible since all methods are already public in the interface.

  • Serialised objects: are one on one copies of the server side values, all methods and fields can be accessed on the client, but changes to the client copy are not forwarded to the server since both copies are independent. An object with modified fields can still be used as argument of an RMI method, so validate your input on the server.

josefx
  • 15,506
  • 6
  • 38
  • 63
  • Excellent! So my fears from this link http://radio.javaranch.com/val/2004/05/18/1084891793000.html are unfounded as that example in that link doesn't use RMI - correct? – jtnire Nov 02 '10 at 08:59
  • @jtnire yes, that wont work with proxy objects since the proxy class only contains methods specified in the interface, private methods only exist on the server. So you only have to validate values passed from the client. – josefx Nov 02 '10 at 09:13
0

I understand that by using Java reflection, a malicious client would be able to view all method names and field names inside any given object which has either been bound in the RMI regestry or "proxied" from the server

Correct. However what are those fields? Just an IP address:port and some magic numbers for the methods being proxied. Nothing to worry about there, there's nothing being exposed that the client can't already use by normal means.

However, would a malicious client be able to view any program logic, or modify any code on the server?

No. It doesn't have any access to the server other than via the proxy. It can't see the actual remote object implementations at all.

Or what about viewing the actual contents of the fields?

No, for the same reason.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I guess the fields arn't really anything too important. However if I marked them as "transient", would that solve my "problem"? – jtnire Nov 02 '10 at 08:40
  • Also, what makes you sure that you can't view the contents of the fields? Please see here: http://radio.javaranch.com/val/2004/05/18/1084891793000.html – jtnire Nov 02 '10 at 08:41
  • Because the client doesn't *have* the server object to reflect on. He only has the proxy object. Making things transient doesn't change their visibilty to reflection, and trying to hide things that are already inaccessible is just wasting time. – user207421 Nov 02 '10 at 23:11