Home > Archive > Java Security > May 2004 > Re: [HELP] RMI & Java security (too secure!)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [HELP] RMI & Java security (too secure!)
|
|
| Nigel Wade 2004-05-12, 7:55 pm |
| Lorenzo wrote:
> [cross-posted on comp.lang.java]
> [cross-posted on comp.lang.java.security]
>
> hi you all,
> first of all apologies for having cross-posted this message but really
> i did not know where to post it. please let me know what ng you
> consider the most suitable for the described issue.
>
> i wrote a program made by a client and a server that communicate via
> RMI
>
> premise 1) everything has been developed and executed on WinXP
> Professional and the following jre
>
> java version "1.4.2_02"
> Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_02-b03)
> Java HotSpot(TM) Client VM (build 1.4.2_02-b03, mixed mode)
>
>
> premise 2) the registration on the RMI registry is all inside the
> program (ie: i don't use rmiregistry app)
>
>
> here are the two main problems i can't handle:
>
> 1 (server unaffected by local server.policy file) - i launch the
> server with the following command:
>
> java my.path.server server.properties
>
> problem: wether i specify a proper server.policy with
> -Djava.security.policy or i launch only the command above what happens
> is that the server FAILS TO REGISTER ON THE RMI REGISTRY IF I DON'T
> ADD THE FOLLOWING TWO LINES IN THE /lib/security/java.policy of the
> jre.
>
> grant {
> permission java.net.SocketPermission "*:1024-65535", "connect,
> accept, resolve";
> permission java.net.SocketPermission "localhost:1024-65535",
> "connect, accept, resolve";
> };
>
> question: is it correct or should it work only passing onto it the
> ad-hoc server.policy containing the above two lines? what's going on?
>
> anyway, once the server has been correctly registered modifying the
> jre java.policy, i start the client
>
> java my.path.client client.properties
> -Djava.security.policy=client.policy
>
> and everything works perfectly (on XP professional).
>
>
> 2 (problems with win2k server and win2003 server) - the exact same
> thing brought onto the two server machines does not work.
>
> in any case, whatever the security configuration, the client ALWAYS
> FAILS TO CONNECT TO THE SERVER with the following exception:
>
> java.rmi.ConnectException: Connection refused to host: 10.0.0.66;
> nested exception is: java.net.ConnectException: Connection refused:
> connect
>
I don't think that message has anything to do with Java security. I think
it's caused by TCP/IP failing to connect to the requested port. "Connection
refused" is normally generated when a client attempts to connect to a port
on a server and the server isn't listening on that port. Can you verify that
the RMI server is really up and listening on the port you think it is (I
don't know Windows well enough to suggest any diagnostic tools).
It might also be a firewall getting in the way. Do you have any sort of
firewall protecting the W2k/W3k servers which might be blocking the RMI
registry port?
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
| |
| Lorenzo 2004-05-12, 7:55 pm |
| perry <perry@unifiedobjects.com> wrote in message news:<lIsmc.34121$3Q4.940199@news20.bellglobal.com>...
> there are two ways to solve this problem...
>
> one is to find a quick fix somewhere off the Internet
>
> the other is to take a day out and spend it with a good book on Java
> Security (and then perhaps another on Java RMI)... there are so many
> quality books out there, a simple search on amazon or a trip to your
> local computer book store is well worth the effort
>
>
yes, i've done both things. then i used sysinternals tcpview to find
out it was a matter of domain resolving.
watch out for this.
i learnt that in the java policy file is much better to specify IP
addresses rather than names, they can be resolved differently than you
expect.
was it a known issue?
not it works, even if machines belong to different domains.
thanx for the answer,
l
| |
| Nigel Wade 2004-05-12, 7:55 pm |
| Lorenzo wrote:
>i used sysinternals tcpview to find
> out it was a matter of domain resolving.
>
> watch out for this.
> i learnt that in the java policy file is much better to specify IP
> addresses rather than names, they can be resolved differently than you
> expect.
> was it a known issue?
Name resolution is done by the OS, not Java. I would guess the problem is
Active Directory and dynamic DNS.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
|
|
|
|
|