RMI & the security API

Geoffrey W. Corey (coreyg@atl.mindspring.com)
Fri, 27 Dec 1996 20:38:27 -0500

Date: Fri, 27 Dec 1996 20:38:27 -0500
From: "Geoffrey W. Corey" <coreyg@atl.mindspring.com>
To: java-security@java
Subject: RMI & the security API

Very confused on implementing object level security in an RMI
environment. I've read and implemented some basic RMI functionality and
I'm now evaluating how to integrate the security classes.

Specifically the lack of documentation on how one use's some of these
classes is lacking. What I'm trying to do is implement method level
security restrictions on an RMI object.

Example I have an object CasinoPlayer with getter/setter methods for
name and chips. Now with RMI, I can't see any reason an appliction
couldn't roam the registry to see what objects are available and then
bind to them. So, I implement ACL's on the users and only specific
users can change the amount of chips of a CasinoPlayer.

Now this brings into the question of using Identity and Certificates.
After a lot of thought here is how I think a C/S system using these
items works. A user sends a userid/password via MessageDigest to a
logon server. The logon server validates the combination, generates a
key pair and returns the public key. The user generates a certificate
with the public key.

Later on in the system the user passes the certificate to the rmi method
setChips along with his identity. The CasinoPlayer validates the
certificate against the logon server and then checks the acl for that
identity before changing any values.

Questions:
1) Is this correct?

1.A) If so, what is to keep some TCP/IP sniffer from lifting a valid
user's certificate and using it to access the setChips method?

2) Is there some sort of tutorial or example RMI applications that deal
with security API?

So far I've been very impressed with the API's in 1.1 and enjoy the Java
Workshop very much (I spent months playing with other IDE's and they all
were a pain in the butt).

Thank you for your time,

-- Geoff Corey
----------------------------------------------------------
Email: coreyg@mindspring.com
----------------------------------------------------------