Java Reference
In-Depth Information
Security and Dynamic Loading
Running an RMI application over a network requires that certain files be accessible to the
server and client class loaders. Table 6-4 summarizes which files are required.
Table 6-4.
Class Loader Requirements
Client Class Loader Requires
Server Class Loader Requires
Remote interfaces
Remote interfaces, remote implementations
Stubs for remote objects
Stubs for remote objects
Server classes used as return
Skeletons for remote objects ( JDK version 1.1 only)
values
Miscellaneous client classes
Miscellaneous server classes
When a client has the remote object stubs and class files locally, the task is much simpler
and there are no special runtime considerations. However, if a client only has the remote
interface, Java provides the capability to load the classes and stubs dynamically. Dynamic
loading is the feature in RMI that allows for an object not available locally to be retrieved. Two
important classes make dynamic loading possible:
RMIClassLoader
and
SecurityManager
.
Besides these two important classes, you need to know the location of the classes to be
loaded.
This is referred to as a code base. Think of a code base as similar to a classpath, except on
a different machine accessible with a URL. A classpath would be analogous to a local code
base. The
codebase
property is
java.rmi.server.codebase
. It would be specified on the com-
mand line as follows:
java -Djava.rmi.server.codebase <URL>
The
java.rmi.server.RMIClasssLoader
class is required for dynamic class loading when
using RMI.
The
RMIClassLoader
class makes use of the
codebase
property. The
RMIClassLoader
class
can load classes from either an applet or an RMI application. For our purposes, and the pur-
poses of the certification exam, our discussion on security will be brief. We do not need to
worry about security or policy files in our implementation, since our application does not use
a security manager. Java 2 makes use of a security manager option due to compatibility with
pre-Java 2 applications. However, in a professional RMI application, a security manager is a
given. In addition, if your network application uses dynamic class loading, a security manager
is required.
Firewall Issues
When the client and server are separated by a firewall, the RMI transport layer is forbidden
from creating socket connections. In situations where a socket connection is prohibited, RMI
makes use of a technique called HTTP tunneling. Tunneling is the process of wrapping RMI
calls in an HTTP POST request, which firewalls typically allow.
Tunneling is done automatically. When a socket connection is denied by the transport
layer, a last-ditch effort is made to service the request via HTTP tunneling.
