javarmijava-security-manager

How to create java RMI program without SecurityManager as it's deprecated?


As referring to the "Creating and Installing a Security Manager" for oracle's tutorial: https://docs.oracle.com/javase/tutorial/rmi/implementing.html

It mentioned whenever we need to download code from the remote machine in a RMI program, the Security Manager is needed.

Now that the SecurityManager is deprecated since java 18, any new strategy introduced to replace the functionality of SecurityManager within the RMI program stated? And how to achieve it?


Solution

  • Now that the SecurityManager is deprecated since java 18,

    Actually it was deprecated in Java 17. In Java 18 it is disabled by default.

    [Is there] any new strategy introduced to replace the functionality of SecurityManager within the RMI program stated?

    AFAIK, no.

    With RMI, a security manager is recommended when RMI needs to load and use classes that have been fetched from a remote and (potentially) untrusted source. The untrusted classes are then run in the security manager sandbox.

    Now that is a problem. Basically, the Java security manager mechanism is brittle and hard to use correctly. Furthermore there is no real prospect of improving the mechanism to make it safe (enough). That is why they have deprecated it in Java 17 and they are disabling it by default in Java 18. See JEP 411 for the full details.

    (IMO) the best answer for you will be to rearchitect your applications so that you don't need to download RMI classes from an untrusted source or via a channel that is insecure. If you can ensure that you will be downloading only your own (trustworthy) class and you use a channel that cannot be "hacked", then you can safely dispense with the security manager.

    The other alternative would be to not support / use Java 17 and later. That will be increasingly difficult in the long term.

    Note that they haven't (yet) entirely removed security manager support. The JEP link discusses some possibilities, but AFAIK it is not yet decided.