I have the following code:
public class Foo implements SomeRemote {
private String verySecretString;
public void doSomething(){...}
}
As I understand foo will somehow be serialized and sent from RMI server to RMI client. So, can the client access anyway verySecretString?
This is not how it works, you are supposed to expose a Remote interface instead of a class then manipulate the interface at client level this way the client has no idea of the implementation details.
So here you should rather have something like:
public interface MyService extends Remote {
void doSomething() throws RemoteException;
}
This is only what you know at the client level. At the sever level you will have your implementation Foo, something like:
public class Foo implements MyService {
private String verySecretString;
public void doSomething(){...}
}
Response Update:
If you don't want a field value to be serialized simply add the keyword transient to its declaration as next:
private transient String verySecretString;