views:

30

answers:

2

I have a client-side security policy, with a statement that grants permissions. I want to be able to specify it to grant the set of permissions for an RMI server only. For example this works:

grant{    
    //my permissions    
};

But I cant figure out how to link the set of permissions so that they apply to my codebase on the server. Actually anything, as long as its tied to the server would be fine. I have tried:

grant codeBase "file://hostname/-"{    
    //my permissions   
};

With the hostname being the name or IP of the machine, both with and w/o the port number. But this does not work, neither does using http instead of file. If I understand what I read so far correctly the hyphen at the end should apply the permissions to anything located on the server. Anyone know what I need to do to get this to work?

Thanks.

Heres the codebase specified when running the server:

-Djava.rmi.server.codebase=file://home/me/PageServer/build/classes/  pageserver.LoginService pageserver.PlannerService 
+1  A: 

Where is the local JVM getting the code that should be granted permissions?

If it's downloading the code from an HTTP codebase on the server, you can use a URL starting with "http:".

If it's local code, you can use a URL starting with "file:" and ending with a local path.

Disclaimer: I've written security files for Jini, which is built atop RMI, and it's been a few years. Apologies for anything I've missed.

Andy Thomas-Cramer
Its getting it from a remote JVM. I tried http but it was not working for me. Perhaps it has something to do with the path? I don't know where the base path on my RMI server is would it just be the root file path, or does it start somewhere by default, say like /var/www would for apache.
DrDipshit
Is the property java.rmi.server.codebase defined on your RMI server?
Andy Thomas-Cramer
It should be, if I'm adding it correctly that is. I just updated my question to include the switch I added when running the server jar. Cheers.
DrDipshit
@DrDipshit - If the client is always on the same machine as the server, you can use the same "file:" URL on both client and server; this will not have a hostname or port in it. Otherwise, you can set up an HTTP server and use the same "http:" URL on both server and client. You can test your HTTP server with a web browser. A very lightweight (one class) HTTP server is provided by Jini (pre-River); it can be run standalone or included in another application. If I recall correctly from reading its source years back, it doesn't depend on use of Jini.
Andy Thomas-Cramer
Yeah, no I was not running an http server. I was wondering if RMI had some protocol that would handle the transfer, as the http part looked strange. Anyways I got it working now. Cheers.
DrDipshit
A: 

Use a JAR for the codebase, and specify exactly the HTTP URL in the .policy file that you specified in -Djava.rmi.server.codebase.

EJP