This discussion is archived
4 Replies Latest reply: Mar 11, 2011 3:45 PM by 844347 RSS

Security Issues with Dynamic Loading

844347 Newbie
Currently Being Moderated
Hi,

I am trying to run a simple RMI example that uses dynamic class loading but I am hitting a problem I cannot get around - can anyone help?

The problem I am getting is that when I run my client program I get the exception listed at the bottom of my post.

I have the following in my server class called WarehouseServer:
   System.setProperty("java.security.policy", "server.policy");  
   System.setSecurityManager(new SecurityManager());  
I have the a server.policy file located in the same folder as my server class:
    grant {    
        permission java.security.AllPermission "", "";    
    };   
I run my server using the following command:

*{noformat}java -Djava.rmi.server.codebase=http://localhost:8080/ WarehouseServer{noformat}*

I have also tried running the server using this command:

*{noformat}java -Djava.rmi.server.codebase=http://localhost:8080/ -Djava.security.policy=server.policy WarehouseServer{noformat}*

But on both occasions I get the same exception when running my client program.

Any idea?


Cheers,

Sean.


=====================================================================


Exception in thread "main" java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
java.lang.ClassNotFoundException: Book (no security manager: RMI class loader disabled)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:178)
at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:178)
at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:132)
at $Proxy0.getProduct(Unknown Source)
at WarehouseClient.main(WarehouseClient.java:32)
Caused by: java.lang.ClassNotFoundException: Book (no security manager: RMI class loader disabled)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:375)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:165)
at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:620)
at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:247)
at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:197)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1574)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1495)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1731)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1328)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:350)
at sun.rmi.server.UnicastRef.unmarshalValue(UnicastRef.java:306)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:155)
... 4 more
  • 1. Re: Security Issues with Dynamic Loading
    EJP Guru
    Currently Being Moderated
    You don't need a security manager in the server, or a .policy file either, unless the server will be uploading code itself, which isn't a normal scenario.

    But you need to run your client with -Djava.security.manager or whatever it is, or install a security manager in the client code. The client will also require a .policy file that permits whatever you need to permit.
  • 2. Re: Security Issues with Dynamic Loading
    844347 Newbie
    Currently Being Moderated
    Thanks EJB. You are correct! I only had the security manager and policy set up in the server; I didn't have it set up in the client. God these RMI errors can be obscure at times.

    For anyone else that may come across it this. I was following an example from this chapter 10 of this book [url http://www.amazon.com/Core-Java-Vol-Advanced-Features/dp/0132354799/ref=sr_1_1?s=books&ie=UTF8&qid=1299739763&sr=1-1]Core Java, Vol. 2: Advanced Features, 8th Edition . The example outlines setting up the security manager and policy in the server, but fails to mention that you also need to set this up in the client.

    When you download the code associated with the book from the [url http://www.horstmann.com/corejava.html]website , you'll see that both the client and server have the security manager and policy set up.

    I actually removed the security manager and policy from the server, I left the security manager and policy in the client, and everything worked fine!
  • 3. Re: Security Issues with Dynamic Loading
    EJP Guru
    Currently Being Moderated
    The example outlines setting up the security manager and policy in the server
    So it is wrong. You don't need a security manager and policy in the server, as I stated above.
    but fails to mention that you also need to set this up in the client.
    So it is doubly wrong.

    Try my book, it's much better ;-)
  • 4. Re: Security Issues with Dynamic Loading
    844347 Newbie
    Currently Being Moderated
    I have the java.rmi book as well :)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points