Improve the security of your RMI applications by following these recommendations:
Always run a security manager when using RMI, either on a client or server. See The Security Manager in The Java Tutorials.
Establish a reasonable security policy. For example, grant SocketPermission and allow listen, accept, connect, and resolve actions only among hosts communicating with RMI. Do not have the security policy grant AllPermission. See Permissions in the JDK and Default Policy Implementation and Policy File Syntax.
If RMI is being used only for communication among JVMs on the local host, restrict communications to be local only. Accomplish this by specifying the appropriate socket permissions in the security policy file as described previously. Alternatively, you can use RMI APIs directly to restrict connections only to the local host. See an example of this in the documentation for the RMISocketFactory class.
Ensure that the value of the java.rmi.server.useCodebaseOnly property is true (which is the default value). Setting this property to false enables remote code loading, which increases the level of security risk to the system. See java.rmi Properties.
Run RMI over SSL/TLS, and require authentication for both server and client. For further information, see the following:
