0

If you want to use custom sockets for RMI (e.g. using SSL), in UnicastRemoteObject.exportObject(4) you need to specify a client socket factory as well as a server socket factory. But the exporting of objects is done on the server side. Why is the client socket factory necessary?

Unless...it's serialized and used by client wanting to acquire a connection to that object? I find that unlikely (though it may be the answer); (SSL) Socket factories don't sound like classic examples of serializable objects to me, with keystores being local, and things like that.

Bart van Heukelom
  • 43,244
  • 59
  • 186
  • 301

2 Answers2

1

Yes, just like you said already in the question:

An RMIClientSocketFactory must be serializable, and will be serialized to the client other side, when used with exportObject or UnicastRemoteObject's constructor.

This means that it must not contain (non-transient) references to objects which are non-serializable, only the necessary information to create a socket on the fly.

(I recently posted an example for a RMISocketFactory, where I needed to take care to be serializable.)

Edit (after the comment from EJP):

Of course, this only applies if you need to use a client socket factory at all. In many circumstances, you simply can use the other exportObject methods (or other constructors), which then use the default server socket factory on the server side, and the default client socket factory at the client side, without serializing anything.

And yes, there is no point of serializing the server's trust store to the client - if the client has to trust the registry or other remote objects for which certificates to accept, we have the point for a man-in-the-middle attack. Thus SslRMIClientSocketFactory, while being Serializable, does not serialize the server's SSL context, but simply uses the client VM's SSL settings.

Community
  • 1
  • 1
Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
  • Doesn't address the underlying fallacy in the question. – user207421 Jun 08 '11 at 11:24
  • Of course, you only need the client socket factory if you need specialized sockets, for example for going through a firewall. But if I understand right, there is no other way of setting the factory, other than setting it VM-wide on the client with `RMISocketFactory.setSocketFactory()`. – Paŭlo Ebermann Jun 08 '11 at 12:00
  • Agreed. It is far from clear what the OP is actually asking here. – user207421 Jun 08 '11 at 13:03
-1

In UnicastRemoteObject.exportObject(...) you need to specify a client socket factory as well as a server socket factory (if you're using custom sockets at all, of course).

Only if you use that overload of exportObject(), and even then you can supply a null. There is another overload where you only have to specify the port number.

Why is that?

It isn't.

The exporting of objects is done on the server side.

Correct.

Why is the client socket factory necessary?

It isn't.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I know there are other overloads. That's why I put "if you're using custom sockets at all, of course". – Bart van Heukelom Jun 08 '11 at 12:03
  • @Bart van Heukelom you said, and I quote, again, you 'need to specify a client socket factory'. You don't. Perhaps you need to reword your question rather than argue with your own words. – user207421 Jun 08 '11 at 13:01
  • 1
    I'm *need* to use custom sockets (SSL), so I *need* to specify a socket factory, otherwise the default ones are used. You downvoted the other answer because it "doesn't address the underlying fallacy in the question.". Well, I downvoted yours because it only serves to point out that "fallacy" you perceive in the question, and that in a unnecessarily long "everything you say after the first sentence is then also wrong" kind of way, and it doesn't actually answer it. Comment on the question, if you feel there's anything to point out. – Bart van Heukelom Jun 08 '11 at 13:14
  • @Bart van Heukelom: SSL is a reason for using a custom client socket factory. There are others. That's not what the OP asked. His question contains a fallacy: 'why are client sockets factory necessary?' They aren't. They are an optional facility for use in situations when they are required. Hence my downvote. Fallacious questions can only be answered by pointing out the fallacy. – user207421 Jun 09 '11 at 10:38
  • @Downvoter please explain your problem with this correct answer. – user207421 Jul 23 '12 at 09:48