java rmi 认证 &安全.exportObject 使其公开? [英] java rmi authentication & security. exportObject makes it public?

问题描述

问题:

当你UnicastRemoteObject.exportObject(instance).该实例现在是否对所有客户端公开可用.即使找到它的端口需要一点技巧.

When you UnicastRemoteObject.exportObject(instance). Does that instance now become publicly available to all clients. Even if a little tricky is required to find its port.

情况是这样的:

我有一个 Java RMI 客户端/服务器设置，我想添加一些身份验证.允许客户端在任何其他 RPC 调用工作之前使用用户/密码组合.

I have a java RMI client/server setup and I wanted to add some authentication. Allowing the client to user a user/pass combo before any of the other RPC calls work.

我在网上找到了一个简单的建议，起初看起来是个好主意.

I found a simple suggestion online that looked like a good idea at first.

interface LoginService implements Remote {
  public MainService login(String username, char[] password) throws RemoteException;
}

interface MainService implements Remote {
  /* all my real rpc calls go here */
}

这个想法是，创建一个远程对象来体现对 RPC 的验证后访问.并通过进行身份验证的第一层访问它.

The idea is, create a remote object to embody the post-authenticated access to RPC. And access it through a first tier that does the authentication.

LoginServiceImpl.login() 必须看起来像那样.

public MainService login(String username, char[] password) throws RemoteException {
  /* verify username and password */
  MainService service = new MainServiceImpl();
  MainService stub = UnicastRemoteObject.exportObject(service, 0);
  return stub;
}

因此，每个调用 login() 的客户端都会获得自己专用的 MainService 远程实例.当然，我会用 ssl 将整个内容包装起来以保护纯文本密码.

So each client that calls login() gets its own dedicated remote instance of MainService. Naturally I'd wrap the whole thing in ssl to protect the plain-text password.

这就是问题所在:

似乎在我导出了我的新 MainServiceImpl 实例之后，它现在可以公开使用了.任何知道要查找的内容的其他客户端都可以连接到它并对该 MainServiceImpl 实例进行调用.

It seems that after I've exported my new MainServiceImpl instance, its now publicly available. Any other client that knows what to look for could connect to it and make calls on that MainServiceImpl instance.

我必须在创建 MainService 后导出它，否则 RMI 不会将存根发送到客户端.相反，它将尝试序列化 MainService 实例.

I have to export the MainService after I create it or RMI won't send the stub to the client. Instead it will try to serialize the MainService instance.

我可以将用户名粘贴在 MainService 中，但这实际上无济于事.

I could stick the username in the MainService, but that won't actually help.

推荐答案

在切换到 JRMP(RMI 线路协议)之前，您需要进行身份验证.为此有一个 JSR，但它被否决了.JERI 为 JINI 做这件事.

You need to do authentication before switching to JRMP (the RMI wire-protocol). There was a JSR for this, but it got voted down. JERI does it for JINI.

这篇关于java rmi 认证 &安全.exportObject 使其公开?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！