How to deny the Client to unbind the RMI Registry?
https://stackoverflow.com/questions/10141457
-
31-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I write a simple RMI application. I found out that the Client after getting the RMI-Registry can execute successful the Registry.unbind() method. This is in my opinion a security risk. Why it is allowed to the Client to unbind the Name in the remote Registry? A evil person can do this with a modification of the Code and all my other Clients cann't connect to my Server because the binding was removed.
Is there a possibility to deny this, maybe in the Java policy?
Solution
This can only happen if the client is running in the same host as the Registry. If you are having security problems wth your own clients, you have a much bigger problem than anything RMI can solve for you.
OTHER TIPS
From the Javadoc for Registry:
A Registry implementation may choose to restrict access to some or all of its methods (for example, methods that mutate the registry's bindings may be restricted to calls originating from the local host). If a Registry method chooses to deny access for a given invocation, its implementation may throw AccessException, which (because it extends RemoteException) will be wrapped in a ServerException when caught by a remote client.
You have the option of preventing this behavior if you so choose (its actually the default behavior for most registry implementations).
