Services will transfer objects to be run within clients . This chapter has so far been concerned with the security policies that will allow this and the restrictions that may need to be in place. The major protection for clients at the moment is that there are no standardized service interfaces, so attackers do not yet know what hostile objects to write.
A lookup service, on the other hand, exports an object that implements ServiceRegistrar . It does not use the same mechanism as a service would to get its code into a client. Instead, the lookup service replies directly to unicast connections with a registrar object, or responds to multicast requests by establishing a unicast connection to the requester and again sending a registrar. The mechanism is different, but it is clearly documented in the Jini specifications and it is quite easy to write an application that performs at least this much of the discovery protocols.
The end result of lookup discovery is that the lookup service will have downloaded registrar objects. The registrar objects run in both clients and services ”they both need to find lookup services. The ServiceRegistrar interface is standardized by the Jini specification, so it is fairly easy to write a hostile lookup service that can attack both clients and services.
While it is unlikely that anyone will knowingly make a unicast connection to a hostile lookup service, someone might get tricked into it. There are already some quite unscrupulous Web sites that will offer "free" services on producing a credit card (to the user 's later cost). There is every probability that such sites will try to entice Jini clients if they see a profit in doing so. Also, anyone with access to the network and within broadcast range of clients and services (i.e., on your local network) can start lookup services that will be found by multicast discovery.
The only real counter to this attack is to require that all connections that can result in downloaded code should be covered by digital certificates, so that all downloaded code must be signed. This covers all possible ports, since an HTTP server can be started on any port on a Windows machine. The objects that are downloaded in the Sun implementation of the lookup service, reggie , are all in reggie-dl.jar . This is not signed by any certificates. If you are worried about an attack through this route, you should sign this file, as well as the jar files of any services you wish to use.