159.

RMI Parameters

A service is specified by an interface. In many cases, an RMI proxy will be delivered to the client that implements this interface. Depending on the interface, this can be used by the client to attack the service. The FileClassifier interface is safe, but in Chapter 14 we will look at how a client can upload a new MIME type to a service, and this extended interface exposes a service to attack.

This is the relevant method from the MutableFileClassifier interface of Chapter 14:

 public void addType(String suffix, MIMEType type)         throws java.rmi.RemoteException; 

This method allows a client to pass an object of type MIMEType up to the service, where it will presumably try to add it to a list of existing MIME types. The MIMEType class is an ordinary class, not an interface. Nevertheless, it can be subclassed, and this subclass can make an attack as described in the second section of this chapter.

This particular attack can be avoided by ensuring that the parameters to any method call in an interface are all final classes. If the MIMEType class was defined by

 public final class MIMEType {...} 

then it would not be possible to subclass it. No attack could be made by a subclass, since no subclass could be made! There aren't enough Jini services defined yet to know whether making all parameters final is a good enough solution.