Java Remote Method Invocation (Java RMI) lets you create distributed applications in Java.
RMI allows an object to invoke methods of remote Java objects running on another Java Virtual Machine (JVM), possibly on different hosts. RMI uses object serialization to marshal and unmarshal parameters, and doesn’t truncate types, supporting true object-oriented polymorphism.
RMI Security Recommendations
Follow these recommendations to improve the security of your RMI applications.
- See Serialization Filtering and follow the best practices there to protect your applications.
Optionally, you can run a security manager when using RMI, either on a client or server.
WARNING:The Security Manager and APIs related to it have been deprecated and are subject to removal in a future release. There is no replacement for the Security Manager. See JEP 411 for discussion and alternatives.
Establish a reasonable security policy. For example, grant
SocketPermissionand allow listen, accept, connect, and resolve actions only among hosts communicating with RMI. Don't have the security policy grant
AllPermission. See Permissions in the Java Development Kit and Default Policy Implementation and Policy File Syntax.
Restrict the communication to be local if RMI is being used only for communication among JVMs on the local host. To accomplish this task, specify the appropriate socket permissions in the security policy file. Alternatively, you can use RMI APIs directly to restrict connections only to the local host. See the
Ensure that the value of the
java.rmi.server.useCodebaseOnlyproperty is True. By default, the
java.rmi.server.useCodebaseOnlyproperty is set to True. If you set this property to False, then remote code loading is enabled, which increases the level of security risk to the system.
Run RMI over Secure Sockets Layer (SSL)/Transport Layer Security (TLS) and request authentication for both server and client. This is possible using custom socket factories. An application can export a remote object to use custom socket factories that create sockets of a desired type (for example, SSL sockets). Using this technique, an application can use SSL socket communication instead of the default socket communication. See the following:
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Diversity and Inclusion
Oracle is fully committed to diversity and inclusion. Oracle respects and values having a diverse workforce that increases thought leadership and innovation. As part of our initiative to build a more inclusive culture that positively impacts our employees, customers, and partners, we are working to remove insensitive terms from our products and documentation. We are also mindful of the necessity to maintain compatibility with our customers' existing technologies and the need to ensure continuity of service as Oracle's offerings and industry standards evolve. Because of these technical constraints, our effort to remove insensitive terms is ongoing and will take time and external cooperation.
Java Platform, Standard Edition Java Remote Method Invocation API Guide, Release 21
Copyright © 1993, 2023, Oracle and/or its affiliates.