Java rmi authentication and security. exportObject makes it public?

Question:

When you UnicastRemoteObject.exportObject(instance)

. This instance is now made publicly available to all clients. Even if it takes a little tricky search to find its port.

This is the situation:

I have a java RMI client / server setup and I wanted to add some authentication. Providing the user / pass command to the user's client before any other RPC calls are made.

I found a simple suggestion online that looked like a good idea at first.

interface LoginService implements Remote {
  public MainService login(String username, char[] password) throws RemoteException;
}

interface MainService implements Remote {
  /* all my real rpc calls go here */
}

      

        
        
        
      

    

The idea is to create a remote object to implement post-authenticated RPC access. And access it through the first level, which does the authentication.

LoginServiceImpl.login()

should look something like this.

public MainService login(String username, char[] password) throws RemoteException {
  /* verify username and password */
  MainService service = new MainServiceImpl();
  MainService stub = UnicastRemoteObject.exportObject(service, 0);
  return stub;
}

      

        
        
        
      

    

This way, each client that calls login()

gets its own dedicated dedicated instance MainService

. Naturally, I would wrap the whole thing in ssl to protect the cleartext password.

This is the problem:

It seems that after I exported my new instance MainServiceImpl

it is now available to the public. Any other client that knows what to look for can connect to it and make calls to that instance MainServiceImpl

.

I need to export the MainService after it is created, or RMI will not send the stub to the client. Instead, it will try to serialize the MainService instance.

I could have inserted the username in MainService

, but it doesn't really help.