Making a distributed system secure is a mindnumbingly difficult task. As a system acquires more users, it will naturally acquire more security holes. In this chapter, we’ll discuss a general-purpose Java mechanism for safeguarding against a new type of security problem. By the end of this chapter, you will understand the security policy mechanism in Java 2, and know how to use it to safeguard some aspects of your RMI application.

RMI has been part of the Java platform for a long time. The first versions of RMI were “interim releases” that worked with JDK 1.2. With JDK 1.1, RMI became part of the Java specification. However, when Java 2 was released, something surprising happened. Working RMI applications suddenly failed. They compiled perfectly, they linked correctly, and they appeared to launch correctly. Yet whenever an application attempted to connect to an external process (e.g., the launch code tried to connect to the registry), a socket exception was thrown.

The reason for this: Java 2 contains a whole new security model. The net effect of the new security model is that a piece of code, unless explicitly granted permission, is not allowed to access anything that is not entirely contained within the JVM. This means that, for example, a legacy RMI application that doesn’t have the appropriate permissions will no longer be able to open socket connections. Because all of RMI’s messages travel across socket connections, the new security model quite ...