Beruflich Dokumente
Kultur Dokumente
Dr
Java™ Remote
Method Invocation
Security Extension
9/24/99
Copyright © 1999 Sun Microsystems, Inc.
901 San Antonio Road, Palo Alto, CA 94303 USA
All rights reserved. Copyright in this document is owned by Sun Microsystems, Inc.
Sun Microsystems, Inc. has patent and other intellectual property rights relating to implementations of the
technology described in this Specification ("Sun IPR"). Your limited right to use this Specification does not
grant you any right or license to Sun IPR.
THIS SPECIFICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SUN
SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY YOU AS A RESULT OF USING THE
SPECIFICATION.
THIS SPECIFICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL
ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE
CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE SPECIFICATION. SUN
MICROSYSTEMS, INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE
SPECIFICATIONS AT ANY TIME, IN ITS SOLE DISCRETION. SUN IS UNDER NO OBLIGATION TO
PRODUCE FURTHER VERSIONS OF THE SPECIFICATION OR ANY PRODUCT OR TECHNOLOGY
BASED UPON THE SPECIFICATION. NOR IS SUN UNDER ANY OBLIGATION TO LICENSE THE
SPECIFICATION OR ANY ASSOCIATED TECHNOLOGY, NOW OR IN THE FUTURE, FOR
PRODUCTIVE OR OTHER USE.
RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/
87) and FAR 52.227-19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-1(a).
TRADEMARKS
Copyright © 1999 Sun Microsystems, Inc., All rights reserved.
Sun, Sun Microsystems, the Sun logo, and Java are trademarks or registered trademarks of Sun
Microsystems, Inc. in the U.S. and other countries.
REPORT
As an Evaluation Posting of this Specification, you may wish to report any ambiguities, inconsistencies, or inac-
curacies you may find in connection with your evaluation of the Specification (“Feedback”). To the extent that
you provide Sun with any Feedback, you hereby: (i) agree that such Feedback is provided on a non-proprietary
and non-confidential basis and (ii) grant to Sun a perpetual, non-exclusive, worldwide, fully paid-up, irrevocable
license to incorporate, disclose, and use without limitation the Feedback for any purpose relating to the Specifi-
cation and future versions, implementations, and test suites thereof.
2
JAVA™ RMI SECURITY EXTENSION 3
1 Introduction
The Java™ 2 platform provides mechanisms for defining and using fine-grained
access control policies, built around the notion of what code is being executed.
Permission is granted to code, based on what location the code came from and
who signed that code.
Missing from the security architecture is any notion of who is executing the
code. The Java Authentication and Authorization Service (http://java.sun.com/
security/jaas) extends the security architecture, providing mechanisms to authenti-
cate subjects (login), execute code on behalf of subjects, and grant permissions to
subjects. The result is that access control policies can be based on both what code
is being executed and who is executing that code.
The RMI Security Extension further extends the security architecture to dis-
tributed systems, providing mechanisms to mutually authenticate client and server
subjects during a remote call, protect the communication from third parties, and
execute code in the server on behalf of the client’s subject.
The API for this extension is intentionally at a very high level; cryptographic
mechanisms and protocols are not exposed, so that code written to the API is more
portable. An underlying service provider interface allows specific mechanisms
and protocols to be configured into the framework.
Although this is an extension to RMI, the API is designed to be applicable
more generally to remote services that are defined in terms of interfaces. A remote
service has a front-end proxy object that implements one or more interfaces; the
proxy is downloaded into clients that want to use the service. An RMI stub is one
form of proxy, but a proxy may also be a more sophisticated object that performs
additional computation surrounding an RMI call, or one that uses alternate net-
work protocols.The proxy is responsible for network communication with the
back-end remote service, and the implementation of the proxy, including the
details of the protocol it uses to communicate with the remote service, can be spe-
cialized to the particular implementation of the service. The client does not know
about these implementation details; it only knows about the interfaces that define
the service.
1.1 Package
The new classes and interfaces defined here are in a new package,
javax.rmi.security, and in subpackages thereof.
1.2 Imports
2 Constraints
This extension allows both clients and servers to express security constraints to be
applied to remote calls. The basic security constraints are very simple:
◆ Communication integrity – making sure that the bits sent over the network
are not tampered with by third parties
◆ Server authentication – proving to the client that the server is executing on
behalf of some subject, so that the call can be terminated if the subject is not
trusted by the client
◆ Client authentication – proving to the server that the client is executing on
behalf of some subject, so that the server can perform only those tasks that
the subject is authorized for. The flip side of this is anonymity: allowing a
client to remain anonymous when it wants to be.
◆ Delegation – allowing the server to authenticate as the client, thus allowing
the server to act on a client’s behalf when dealing with third party remote
servers, in cases where the identity of the client (not the server) is what mat-
ters to the third party
The constraint mechanisms are designed such that a client cannot weaken
constraints set by the server, nested code cannot weaken constraints set by enclos-
ing code in the call chain, and code within a thread cannot weaken constraints
inherited by the thread. However, it is certainly possible to specify conflicting
requirements, in which case the remote call will not be made.
A secure remote call will be performed only if the server is capable of provid-
ing all of the client requirements (from all sources), and if all of the client and
server requirements are supported by the client’s underlying RMI implementation.
In addition, both client and server preferences will be satisfied, to the extent possi-
ble.
2.1 SecurityConstraint
Security constraints are represented as instances of classes that implement the fol-
lowing interface:
package javax.rmi.security;
public interface SecurityConstraint {
boolean implies(SecurityConstraint c);
2.2 RelativeTimeConstraint
{
SecurityConstraint makeAbsolute(long baseTime);
}
The basic security constraints are provided as constants of the following classes in
the javax.rmi.security package:
public final class Integrity
implements SecurityConstraint, Serializable
{
public static final Integrity YES;
public static final Integrity NO;
}
2.4 DelegationDuration
2.5 DelegationEndTime
2.6 ClientMinPrincipal
package javax.rmi.security;
public final class ClientMinPrincipal
implements SecurityConstraint, Serializable
{
public ClientMinPrincipal(Principal principal);
public ClientMinPrincipal(Principal[] principals);
2.7 ClientMaxPrincipal
package javax.rmi.security;
public final class ClientMaxPrincipal
implements SecurityConstraint, Serializable
{
public ClientMaxPrincipal(Principal principal);
public ClientMaxPrincipal(Principal[] principals);
public ClientMaxPrincipal(Collection c);
public Set elements();
}
2.8 ClientMinPrincipalType
package javax.rmi.security;
public final class ClientMinPrincipalType
implements SecurityConstraint, Serializable
{
public ClientMinPrincipalType(Class clazz);
public ClientMinPrincipalType(Class[] classes);
public ClientMinPrincipalType(Collection c);
public Set elements();
}
The elements method returns an immutable set of all of the classes. Any
attempt to modify the set results in UnsupportedOperationException being
thrown.
Two ClientMinPrincipalType instances are equal if they have equal classes
(ignoring order).
2.9 ClientMaxPrincipalType
package javax.rmi.security;
public final class ClientMaxPrincipalType
implements SecurityConstraint, Serializable
{
public ClientMaxPrincipalType(Class clazz);
public ClientMaxPrincipalType(Class[] classes);
public ClientMaxPrincipalType(Collection c);
public Set elements();
}
2.10 ServerMinPrincipal
package javax.rmi.security;
public final class ServerMinPrincipal
implements SecurityConstraint, Serializable
{
public ServerMinPrincipal(Principal principal);
public ServerMinPrincipal(Principal[] principals);
public ServerMinPrincipal(Collection c);
public Set elements();
}
mately a client needs to specify exact principal instances that a server must
authenticate as, in order to establish any useful basis for trusting the server.
2.11 AlternativeSecurityConstraints
Alternative constraints can be aggregated into a single overall constraint using the
AlternativeSecurityConstraints class:
package javax.rmi.security;
public final class AlternativeSecurityConstraints
implements RelativeTimeConstraint, Serializable
{
public static SecurityConstraint create(
SecurityConstraint[] constraints);
public static SecurityConstraints create(Collection c);
public Set elements();
public Class getElementType();
public boolean impliedBy(SecurityConstraint c);
}
The semantics of this aggregate constraint is that at least one of the individual
constraints must be satisfied.
The create methods throw NullPointerException if the parameter value is
null. The methods throw IllegalArgumentException if: the parameter is
empty; or if any of the elements are instances of
AlternativeSecurityConstraints; or if the elements are not all instances of
the same concrete class; or if the elements are not all instances of trusted con-
straint classes (see Section 2.13). The parameter passed to the method is not
retained; subsequent changes to that parameter have no effect on the instance cre-
ated. Redundant constraints are removed as follows: for any two specified con-
straints c1 and c2, if c1.implies(c2) is true, then c1 is removed. If a single
constraint remains, then that constraint is returned, otherwise an instance of
AlternativeSecurityConstraints containing the resulting constraints is
returned.
Note that this class implements RelativeTimeConstraint even though the
constraint elements might not implement RelativeTimeConstraint. The
makeAbsolute method simply returns the AlternativeSecurityConstraints
instance if the constraint elements are not instances of
RelativeTimeConstraint, otherwise it converts the constraint elements using
their makeAbsolute method and returns the result of invoking the create method
of AlternativeSecurityConstraints with the converted constraints.
The elements method returns an immutable set of all the constraints. Any
attempt to modify this set results in UnsupportedOperationException being
thrown.
The getElementType method returns the class of the constraint elements.
Two AlternativeSecurityConstraints instances are equal if they have
equal constraints (ignoring order).
The semantics of the impliedBy method is described in Section 2.14.9.
2.12 SecurityConstraints
The SecurityConstraint classes that are trusted can be extended beyond those
defined in this specification using security providers. A list of TrustVerifier
instances (see Section 5.1) is obtained as specified in Section 5. The
trustedConstraintClass method of each one is called with the constraint class.
If any method returns true, the class is trusted. If none of the methods returns
true, SecurityException is thrown.
The Principal classes that are trusted are defined in a similar fashion to con-
straint classes. The trustedPrincipalClass method of each TrustVerifier
instance is called with the principal class. If any method returns true, the class is
trusted. If none of the methods returns true, SecurityException is thrown.
2.14 Implies
The detailed semantics of the implies method for each constraint class, and the
impliedBy method of AlternativeSecurityConstraints, are given in this
Section. In general, application developers do not need to be concerned with the
details provided in this Section.
For each basic constraint class (those with YES and NO constants), instance c1 of
the class implies instance c2 of the same class if the two instances are equal.
AuthenticateClient.NO implies any instance of class Delegation,
DelegationDuration, DelegationEndTime, ClientMinPrincipal,
ClientMinPrincipalType, ClientMaxPrincipal, or
ClientMaxPrincipalType.
AuthenticateServer.NO implies any instance of class
ServerMinPrincipal.
Delegation.NO implies any instance of class DelegationDuration or
DelegationEndTime.
For each basic constraint class, instance c1 of the class implies
AlternativeSecurityConstraints instance c2 if c2.impliedBy(c1) is true.
For any other instance c2, c1.implies(c2) is false.
2.14.2 DelegationDuration
is true.
DelegationDuration instance c1 implies
AlternativeSecurityConstraints instance c2 if c2.impliedBy(c1) is true.
For any other instance c2, c1.implies(c2) is false.
2.14.3 DelegationEndTime
is true.
DelegationEndTime instance c1 implies
AlternativeSecurityConstraints instance c2 if c2.impliedBy(c1) is true.
For any other instance c2, c1.implies(c2) is false.
2.14.4 ClientMinPrincipal
2.14.5 ClientMaxPrincipal
2.14.6 ClientMinPrincipalType
2.14.7 ClientMaxPrincipalType
2.14.8 ServerMinPrincipal
2.14.9 AlternativeSecurityConstraints
2.15 Intersect
The detailed semantics of the intersect method for each constraint class are
given in this Section. In general, application developers do not need to be con-
cerned with the details provided in this Section.
For any two instances c1 and c2 of the same basic constraint class (those with YES
and NO constants), c1.intersect(c2) returns c1 if the instances are equal, and
returns null otherwise.
For any Delegation instance c, c.intersect(AuthenticateClient.NO)
returns AuthenticateClient.NO.
For any other instance c1 of a basic constraint class and any other constraint
instance c2, c1.intersect(c2) returns c1 if c1.implies(c2) is true, and
returns COMPLEX_INTERSECT otherwise.
2.15.2 DelegationDuration
Math.max(c1.getMin(), c2.getMin())
if the computed min is less than or equal to the computed max. Otherwise the
result is null.
For DelegationDuration instance c, c.intersect(Delegation.NO)
returns Delegation.NO and c.intersect(AuthenticateClient.NO) returns
AuthenticateClient.NO.
For DelegationDuration instance c1 and
AlternativeSecurityConstraints instance c2, the semantics of
c1.intersect(c2) is described under AlternativeSecurityConstraints for
the symmetric c2.intersect(c1).
For DelegationDuration instance c1 and any other constraint instance c2,
c1.intersect(c2) returns COMPLEX_INTERSECT.
2.15.3 DelegationEndTime
Math.max(c1.getMin(), c2.getMin())
if the computed min is less than or equal to the computed max. Otherwise the
result is null.
For DelegationEndTime instance c, c.intersect(Delegation.NO) returns
Delegation.NO and c.intersect(AuthenticateClient.NO) returns
AuthenticateClient.NO.
For DelegationEndTime instance c1 and
AlternativeSecurityConstraints instance c2, the semantics of
c1.intersect(c2) is described under AlternativeSecurityConstraints for
the symmetric c2.intersect(c1).
For DelegationEndTime instance c1 and any other constraint instance c2,
c1.intersect(c2) returns COMPLEX_INTERSECT.
2.15.4 ClientMinPrincipal
2.15.5 ClientMaxPrincipal
2.15.6 ClientMinPrincipalType
2.15.7 ClientMaxPrincipalType
2.15.8 ServerMinPrincipal
2.15.9 AlternativeSecurityConstraints
3 Client Interfaces
3.1 RemoteSecurity
Client security constraints can be attached to individual stubs, and server con-
straints can be queried, using the RemoteSecurity interface:
package javax.rmi.security;
public interface RemoteSecurity {
RemoteSecurity setClientConstraints(
SecurityConstraints constraints);
SecurityConstraints getClientConstraints();
SecurityConstraints getServerConstraints(String name,
Class[] parameterTypes)
throws NoSuchMethodException, RemoteException;
boolean equalsIgnoreConstraints(Object obj);
}
3.2 Security
The Security class provides methods for executing actions with contextual client
security constraints, and for establishing trust in downloaded stubs and proxies:
package javax.rmi.security;
public final class Security {
public static Object doConstrained(
PrivilegedAction action,
SecurityConstraints constraints);
public static Object doConstrained(
PrivilegedExceptionAction action,
SecurityConstraints constraints)
throws PrivilegedActionException;
public static SecurityConstraints getContextConstraints();
public static void establishProxyTrust(
Object proxy,
SecurityConstraints constraints)
throws RemoteException;
}
is called with the factory class as a parameter. If any method returns true, the
class is trusted. If none of the methods return true, SecurityException is
thrown. In this case, no remote communication takes place, and the constraints
passed as a parameter are not used.
If the proxy is a secure RMI stub for a server exported as a
SecureActivatable (see Section 4.2) the following checks are made:
the client constraints used for the call are the constraints passed as a param-
eter to establishProxyTrust. The client is responsible for specifying
AuthenticateServer.YES and an appropriate ServerMinPrincipal
instance as requirements, if it wants the server to be authenticated.
3.3 UnsupportedSecurityException
This exception is only checked and thrown at the point a remote method is
invoked. For example, it is possible to attach a client requirement to a stub that is
not supported by the server, or that is not supported by the RMI implementation in
which the client is executing, without an exception immediately being thrown.
UnsupportedSecurityException can be thrown at the point a remote
method is invoked for any of the following reasons:
The combined client and server constraints for the call are given as a non-null
read-only instance in a field of the exception. No specific indication is given as to
which requirements could not be satisfied.
The UnsupportedSecurityException constructor produces a non-null read-
only copy of the constraints (which can be null) passed as a parameter.
4 Server Interfaces
4.1 SecureUnicastRemoteObject
secure calls) in the context of a Subject.doAs invoked with the client subject as a
parameter.
The parameters passed to the remote method are automatically unmarshalled
within the scope of either a Subject.doAs or a Subject.doAsPrivileged with
the client subject. If the server implements CallAccessControl (see Section 4.5)
and the return value from its checkCallAccessControl method is true, then
doAsPrivileged is used, otherwise doAs is used.
4.2 SecureActivatable
Remote obj,
ActivationID id,
SecureExportDesc desc)
throws RemoteException;
}
The first constructor can be used to register a new object and export it. A sub-
class of SecureActivatable must call this constructor to register and export the
object during initial construction.
The second constructor is used to activate and export an object that has
already been registered. A subclass of SecureActivatable must call this con-
structor when the object itself is activated using its special “activation” construc-
tor.
The getID method returns the object’s activation identifier. This activation
identifier implements RemoteSecurity, and the activator constraints passed to the
constructor will have been set as client constraints by the constructor. These con-
straints will also be set as client constraints in the ActivationID contained in the
stub for this activatable object.
The register method registers a new activatable object with the activation
system without having to first create that activatable object; it will subsequently
be activated on demand. The activator constraints are set as client constraints on
the ActivationID contained in the returned stub.
As with Activatable, it is not necessary to extend SecureActivatable; you
can use an exportObject method instead. The first exportObject method both
registers the object as a new activatable object, and exports it; the activator con-
straints are set as client constraints on the returned ActivationID, and will also
be set as client constraints in the ActivationID contained in the stub for this acti-
vatable object. The second exportObject method exports an activatable object
that has already been registered; it is assumed that any desired activator con-
straints have already been set as client constraints on the ActivationID.
4.3 ActivatorSecurity
4.4 CheckProxySource
Remote objects that use specialized proxies (proxies that are not secure RMI
stubs) must implement this interface in order to allow clients to use
Security.establishProxyTrust.
Either or both parameters to the checkProxySource method may be null. If
these parameters identify proxy code that is considered trusted by the server, then
the method should just return normally. Otherwise it should throw an exception.
4.5 CallAccessControl
4.6 SecureExportDesc
◆ defaultConstraints – the default constraints for all DGC calls and for any
remote method that is not specified in methodConstraints. This value can
be null, which is treated the same as the empty instance.
◆ methodConstraints – constraints for specific remote methods. If null or
unspecified, defaults to the empty array. ExportException is thrown at
export time if any of the methods specified are not actually remote methods
for the exported object.
◆ serverSubject – the maximal subject that will be used when authenticating
the server to clients. The authenticated principals obtained by clients will
always be a subset of the principals in this subject. This value can be null.
If null or unspecified, defaults to the current executing subject (the value of
Subject.getSubject(AccessController.getContext())).
◆ ports – specific ports to export the object on. If null or unspecified, anon-
ymous ports are used as needed. If non-null, then factories must also be non-
null and the same length, or IllegalArgumentException is thrown. Each
port is paired with the corresponding server factory at the same index. A port
value of zero means that an anonymous port should be used. No two facto-
ries can be assigned the same non-zero port, or
IllegalArgumentException is thrown.
◆ factories – server factories (see Section 5.2) for generating secure sockets.
If null or unspecified, suitable factories are found as specified below.
In general, portable implementations will leave both ports and factories either
null or unspecified, and most developers do not need to be concerned with the
detailed semantics of socket factories.
Two SecureExportDesc instances are equal only if they are the identical (==)
object.
The getDefaultConstraints method returns a non-null read-only instance.
The getMethodConstraints method always returns a new non-null array
every time it is called.
Given a secure RMI stub for a remote object that was exported with this
export descriptor, the getServerConstraints method (see Section 3.1) of that
stub will return the constraints given in methodConstraints if there is a match,
otherwise the default constraints will be returned.
The getSubject method returns a non-null instance, or null if the
serverSubject was null or unspecified and the value of
Subject.getSubject(AccessController.getContext()) is null.
The getPorts method returns a new non-null array every time it is called. If
the ports constructor parameter was null or unspecified, this method returns an
array filled with zeros.
4.7 MethodConstraints
5 Provider Interfaces
◆ the property value is of the form “name.type” such that the getProvider
method of java.security.Security returns a provider for name, and
◆ that provider has a property named “prefix.type”, and
◆ the value of that property is the name of a class that implements iface and
has a no-arg constructor, and
◆ no instance of that class already exists in the list,
then an instance of that class is created and added to the list. In this case, the order
of instances is given by the security property order.
If there is no security property named “prefix.1”, then each of the providers
returned by the getProviders method of java.security.Security is searched,
and for each property that a provider has with name prefixed by “prefix.”, if:
◆ the property value is the name of a class that implements iface and has a no-
arg constructor, and
◆ no instance of that class already exists in the list,
then an instance of that class is created and added to the list. In this case, the order
of instances generated from a given provider is unspecified, but instances from
earlier providers precede instances from later providers in the resulting list.
5.1 TrustVerifier
5.2 SecureServerSocketFactory
Subject serverSubject);
ServerSocket createServerSocket(Subject serverSubject,
int port)
throws IOException;
}
5.3 SecureSocket
5.4 SecureClientSocketFactory
calls the checkConnect method of the installed security manager, passing the host
and port that would be used to create the socket.
5.5 SecureSessionSocket
6 Serialization
package javax.rmi.security.ref;
public class SecureUnicastData implements Serializable {
public SecurityConstraints clientConstraints;
public SecurityConstraints defaultConstraints;
public long[] methodHashes;
public SecurityConstraints[] methodConstraints;
public SecureClientSocketFactory[] factories;
public ObjID id;
}
package javax.rmi.security.ref;
public class SecureActivatableData extends SecureUnicastData {
public ActivationID aid;
}