How can I restrict Java RMI to a specific interface?

Question

We have two interfaces on our product one that is customer facing and an internal interface. Is it possible to have the rmi only operate on a particular interface such as the loopback or do we need to use firewall rules to prevent access?

Is there a way to have the server bind only to request from a specified interface? I found this property that can be set on the server, does this prevent external request?

-Djava.rmi.server.hostname=127.0.0.1

Is there a way to have the rmiregistry select the interface it listens on like mysql's bind option?

This question seems related but I'm hoping for a simpler answer: Java RMI: How can I restrict RMI method to only be called internally by the client object

Answer 1

I found this property that can be set on the server, does this prevent external request?

-Djava.rmi.server.hostname=127.0.0.1

That property controls what IP address is placed into the stubs of remove objects exported from this JVM. If you want to restrict those to clients of 'localhost' setting this would actually work, but it isn't a great solution.

You would have to export the remote object with an RMIServerSocketFactory that creates ServerSockets bound to the specific IP address you want.

Is there a way to have the rmiregistry select the interface it listens on like mysql's bind option?

Same answer. You would have to export the Registry yourself, via LocateRegistry.createRegistry(int port, RMIServerSocketFactory ssf, RMIClientSocketFactory csf) . csf can be null of course.

Make sure your RMIServerSocketFactory has a sensible implemenation of equals() if you use more than one instance of it in your exporting JVM, eg that as long as the bind IP address is the same they are equal.

This question seems related

It isn't.