All geek questions in one place

RMI Server Code Modification Prevention

I am writing a client-server solution using Java RMI (through a Cajo project).

I want to make the server as secure as possible. I understand that using Java reflection, a malicious client will be able to view all method names and field names inside any object that has either been linked in the RMI registry or a โ€œproxyโ€ from the server (in Cajo, the proxy element is the object that is actually located on the server, but the client can refer to it). However, can a malicious client view any program logic or modify any code on the server? Or how about viewing the actual contents of the fields?

Assume that physical access to the server is not allowed, and the only access to the network through the server is through the Cajo TCP port (1198).

thank

+3
source share
2 answers

RMI is based on proxy objects and serialization.

  • Proxy objects: they contain only the methods specified in the interface, all other methods and fields of the source object do not exist in the proxy and cannot be accessed through reflection. No attacks are possible, since all methods are already available in the interface.

  • Serialized objects: this is a one-on-one instance of values โ€‹โ€‹on the server side, all methods and fields can be accessed on the client, but changes to the client copy are not redirected to the server, since both copies are independent. An object with modified fields can still be used as an argument to the RMI method, so confirm your entry on the server.

+2
source

, Java , RMI ""

. ? IP-: . , , .

, ?

. , . .

?

, .

0

Source: https://habr.com/ru/post/1772606/

More articles:


All Articles