Return-Path: X-Original-To: apmail-river-commits-archive@www.apache.org Delivered-To: apmail-river-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 084047B89 for ; Sun, 21 Aug 2011 04:00:23 +0000 (UTC) Received: (qmail 80148 invoked by uid 500); 21 Aug 2011 04:00:20 -0000 Delivered-To: apmail-river-commits-archive@river.apache.org Received: (qmail 79995 invoked by uid 500); 21 Aug 2011 04:00:08 -0000 Mailing-List: contact commits-help@river.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@river.apache.org Delivered-To: mailing list commits@river.apache.org Received: (qmail 79957 invoked by uid 99); 21 Aug 2011 04:00:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Aug 2011 04:00:00 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Aug 2011 03:59:53 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 8D2D423889C5; Sun, 21 Aug 2011 03:59:31 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1159939 - in /river/jtsk/skunk/peterConcurrentPolicy: qa/harness/policy/ qa/harness/trust/ qa/src/com/sun/jini/test/resources/ qa/src/com/sun/jini/test/spec/jeri/https/ qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/ qa... Date: Sun, 21 Aug 2011 03:59:30 -0000 To: commits@river.apache.org From: peter_firmstone@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110821035931.8D2D423889C5@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: peter_firmstone Date: Sun Aug 21 03:59:29 2011 New Revision: 1159939 URL: http://svn.apache.org/viewvc?rev=1159939&view=rev Log: Improvements to ConcurrentPermissions, has justified replacing Permissions in ConcurrentPolicyFile since this is now more reliable with concurrent code. Still having problems with PolicyParser parsing standard java policy file, because of this it doesn't grant any permissions to the jar files in the jre/lib/ext directory, so it's having trouble with encryption providers. Otherwise ConcurrentPolicyFile passes all policy based tests. I expect the problem will be solved soon and it will then pass all qa tests. The next step will be to replace RMISecurityManager with a DelegateSecurityManager and test that. Then add logging to the security manager to record failed permission checks. Removed: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/se/ Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy river/jtsk/skunk/peterConcurrentPolicy/qa/harness/trust/dynamic-policy.properties river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/https/HttpsRobustnessTest.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.java river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/util/Util.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/HttpsEndpoint.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslEndpointImpl.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/loader/pref/PCodeSource.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/PolicyFileProvider.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/PolicyEntryTest.java Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy Sun Aug 21 03:59:29 2011 @@ -20,6 +20,12 @@ grant codebase "file:${com.sun.jini.test permission java.security.AllPermission "", ""; }; +// required for new PolicyFile provider. +grant codeBase "file:${{java.ext.dirs}}/*" { + permission java.security.AllPermission; +}; + + grant codebase "file:${com.sun.jini.jsk.home}${/}lib${/}jsk-platform.jar" { permission java.security.AllPermission "", ""; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/trust/dynamic-policy.properties URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/harness/trust/dynamic-policy.properties?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/harness/trust/dynamic-policy.properties (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/harness/trust/dynamic-policy.properties Sun Aug 21 03:59:29 2011 @@ -6,4 +6,4 @@ policy.provider=net.jini.security.policy #net.jini.security.policy.PolicyFileProvider.basePolicyClass=com.sun.jini.qa.harness.MergedPolicyProvider net.jini.security.policy.DynamicPolicyProvider.basePolicyClass=com.sun.jini.qa.harness.MergedPolicyProvider #net.jini.security.policy.DynamicPolicyProvider.basePolicyClass=net.jini.security.policy.PolicyFileProvider -#net.jini.security.policy.PolicyFileProvider.basePolicyClass=org.apache.river.security.concurrent.ConcurrentPolicyFile +net.jini.security.policy.PolicyFileProvider.basePolicyClass=net.jini.security.policy.ConcurrentPolicyFile Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy Sun Aug 21 03:59:29 2011 @@ -46,6 +46,10 @@ grant codebase "file:${com.sun.jini.test permission java.security.AllPermission "", ""; }; +// required for new PolicyFile provider. +grant codeBase "file:${{java.ext.dirs}}/*" { + permission java.security.AllPermission; +}; grant codebase "file:${com.sun.jini.qa.harness.testJar}" { permission net.jini.security.GrantPermission Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/https/HttpsRobustnessTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/https/HttpsRobustnessTest.td?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/https/HttpsRobustnessTest.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/https/HttpsRobustnessTest.td Sun Aug 21 03:59:29 2011 @@ -3,3 +3,11 @@ testCategories=jeri,jeri_spec testConfiguration= com.sun.jini.qa.harness.runkitserver=false com.sun.jini.qa.harness.runjiniserver=false +testjvmargs=\ +-Xdebug,\ +-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +${testjvmargs} +#-Djava.security.debug=access:failure,\ +#-Dnet.jini.security.policy.PolicyFileProvider.basePolicyClass=net.jini.security.policy.ConcurrentPolicyFile,\ +#-Djava.security.manager=com.sun.jini.tool.ProfilingSecurityManager,\ +#${testjvmargs} Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.java Sun Aug 21 03:59:29 2011 @@ -355,12 +355,12 @@ public class GrantNoPrincipalCase02 exte Permission[] p = new Permission[] { pmDynamicGranted[k] }; boolean shouldReturn = (k <= i); - checkImplies(pd, p, shouldReturn, false); - checkImplies(pdNew01, p, shouldReturn, false); - checkImplies(pdNew02, p, shouldReturn, false); + checkImplies(pd, p, shouldReturn, false); + checkImplies(pdNew01, p, shouldReturn, false); + checkImplies(pdNew02, p, shouldReturn, false); + } } } - } /* * Call grant() on DynamicPolicyProvider passing @@ -382,78 +382,78 @@ public class GrantNoPrincipalCase02 exte for (int i = 0; i < protectionDomains.length; i++) { ProtectionDomain pd = protectionDomains[i]; - /* - * Call implies on DynamicPolicyProvider passing - * pmAll permissions. Verify that implies() - * returns true for null and non-null - * ProtectionDomains. - */ - checkImplies(pd, pmAll, true, false); - - /* - * Call implies on DynamicPolicyProvider passing - * permissions that granted in the policy file. Verify that - * implies() returns false if ProtectionDomain is equal to null, - * and verify that implies() returns true for non-null - * ProtectionDomains. - */ - checkImplies(pd, pmGranted, true, true); - - /* - * Call implies on DynamicPolicyProvider passing - * not granted permissions. Verify that implies() - * returns false for null and non-null - * ProtectionDomains. - */ - checkImplies(pd, pmDynamicNotGranted, false, false); + /* + * Call implies on DynamicPolicyProvider passing + * pmAll permissions. Verify that implies() + * returns true for null and non-null + * ProtectionDomains. + */ + checkImplies(pd, pmAll, true, false); - if (pd == null) { - continue; - } + /* + * Call implies on DynamicPolicyProvider passing + * permissions that granted in the policy file. Verify that + * implies() returns false if ProtectionDomain is equal to null, + * and verify that implies() returns true for non-null + * ProtectionDomains. + */ + checkImplies(pd, pmGranted, true, true); - /* - * Get CodeSource for ProtectionDomain. - */ - CodeSource s = pd.getCodeSource(); + /* + * Call implies on DynamicPolicyProvider passing + * not granted permissions. Verify that implies() + * returns false for null and non-null + * ProtectionDomains. + */ + checkImplies(pd, pmDynamicNotGranted, false, false); - /* - * Iterate over class loaders. - */ - for (int j = 0; j < classLoaders.length; j++) { + if (pd == null) { + continue; + } /* - * Create new ProtectionDomain passing code source, - * null as PermissionCollection, class loader and - * null as array of Principals. + * Get CodeSource for ProtectionDomain. */ - ProtectionDomain pdNew01 = new ProtectionDomain(s, null, - classLoaders[j], null); + CodeSource s = pd.getCodeSource(); /* - * Create new ProtectionDomain passing null as code source, - * null as PermissionCollection, class loader - * and null as array of Principals. + * Iterate over class loaders. */ - ProtectionDomain pdNew02 = new ProtectionDomain(null, null, - classLoaders[j], null); + for (int j = 0; j < classLoaders.length; j++) { + + /* + * Create new ProtectionDomain passing code source, + * null as PermissionCollection, class loader and + * null as array of Principals. + */ + ProtectionDomain pdNew01 = new ProtectionDomain(s, null, + classLoaders[j], null); + + /* + * Create new ProtectionDomain passing null as code source, + * null as PermissionCollection, class loader + * and null as array of Principals. + */ + ProtectionDomain pdNew02 = new ProtectionDomain(null, null, + classLoaders[j], null); + + /* + * Call implies() on DynamicPolicyProvider passing + * newly created ProtectionDomains and pmAll + * permissions and verify that implies() returns true. + */ + checkImplies(pdNew01, pmAll, true, false); + checkImplies(pdNew02, pmAll, true, false); + } /* - * Call implies() on DynamicPolicyProvider passing - * newly created ProtectionDomains and pmAll - * permissions and verify that implies() returns true. + * Verify that granted permissions (aside from those granted + * with a class value of null) are not included in + * PermissionCollections returned from + * Policy.getPermissions(CodeSource). */ - checkImplies(pdNew01, pmAll, true, false); - checkImplies(pdNew02, pmAll, true, false); + callGetPermissionsNoGranted(s, pmAsided); + callGetPermissions(s, pmAll, true, null); } - - /* - * Verify that granted permissions (aside from those granted - * with a class value of null) are not included in - * PermissionCollections returned from - * Policy.getPermissions(CodeSource). - */ - callGetPermissionsNoGranted(s, pmAsided); - callGetPermissions(s, pmAll, true, null); } } -} Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.td?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase02.td Sun Aug 21 03:59:29 2011 @@ -4,3 +4,7 @@ testPolicyfile=policyProviderGrant01.pol com.sun.jini.qa.harness.runkitserver=false com.sun.jini.qa.harness.runjiniserver=false com.sun.jini.qa.harness.securityproperties= +#testjvmargs=\ +#-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/util/Util.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/util/Util.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/util/Util.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/util/Util.java Sun Aug 21 03:59:29 2011 @@ -94,6 +94,7 @@ public class Util { * @return status string. */ public static String fail(String msg, Exception ret, String exp) { + ret.printStackTrace(System.err); StringBuffer buf = new StringBuffer("\n"); buf.append(msg).append("\n"); buf.append(" throws: ").append(ret.toString()).append("\n"); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/HttpsEndpoint.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/HttpsEndpoint.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/HttpsEndpoint.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/HttpsEndpoint.java Sun Aug 21 03:59:29 2011 @@ -695,7 +695,7 @@ public final class HttpsEndpoint */ OutboundRequestIterator newRequest(final CallContext callContext) { return new OutboundRequestIterator() { - private boolean done; + private volatile boolean done = false; public synchronized boolean hasNext() { return !done; } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslEndpointImpl.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslEndpointImpl.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslEndpointImpl.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslEndpointImpl.java Sun Aug 21 03:59:29 2011 @@ -284,6 +284,9 @@ class SslEndpointImpl extends Utilities * XXX: Work around BugID 4892841, Subject.getPrincipals(Class) * not thread-safe against changes to principals. * -tjb[18.Jul.2003] + * + * This was fixed in Java 1.5 which is now our minimum + * supported version. */ synchronized (clientSubject.getPrincipals()) { clientPrincipals = Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java Sun Aug 21 03:59:29 2011 @@ -526,12 +526,12 @@ class SslServerEndpointImpl extends Util if (resolvedHost == null) { InetAddress localAddr; try { - localAddr = (InetAddress) AccessController.doPrivileged( - new PrivilegedExceptionAction() { - public Object run() throws UnknownHostException { - return InetAddress.getLocalHost(); - } - }); + localAddr = AccessController.doPrivileged( + new PrivilegedExceptionAction() { + public InetAddress run() throws UnknownHostException { + return InetAddress.getLocalHost(); + } + }); } catch (PrivilegedActionException e) { UnknownHostException uhe = (UnknownHostException) e.getCause(); @@ -803,8 +803,9 @@ class SslServerEndpointImpl extends Util private final Set connections = new HashSet(); /** Used to throttle accept failures */ + private final Object failureLock = new Object(); private long acceptFailureTime = 0; - private int acceptFailureCount; + private int acceptFailureCount = 0; /** Creates a listen handle */ SslListenHandle(RequestDispatcher requestDispatcher, @@ -936,23 +937,34 @@ class SslServerEndpointImpl extends Util final int NFAIL = 10; final int NMSEC = 5000; long now = System.currentTimeMillis(); - if (acceptFailureTime == 0L || - (now - acceptFailureTime) > NMSEC) - { - // failure time is very old, or this is first failure - acceptFailureTime = now; - acceptFailureCount = 0; - } else { - // failure window was started recently - acceptFailureCount++; - if (acceptFailureCount >= NFAIL) { - try { - Thread.sleep(10000); - } catch (InterruptedException ignore) { - } - // no need to reset counter/timer - } - } + boolean fail = false; + synchronized (failureLock){ + if (acceptFailureTime == 0L || + (now - acceptFailureTime) > NMSEC) + { + // failure time is very old, or this is first failure + acceptFailureTime = now; + acceptFailureCount = 0; + } else { + // failure window was started recently + acceptFailureCount++; + if (acceptFailureCount >= NFAIL) { + fail = true; + } + } + } + if (fail) { + try { + Thread.sleep(10000); + } catch (InterruptedException ignore) { + /* Why are we ignoring the interrupt and not + * restoring the interrupted status? + */ + Thread.currentThread().interrupt(); + } + // no need to reset counter/timer + } + return true; } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/loader/pref/PCodeSource.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/loader/pref/PCodeSource.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/loader/pref/PCodeSource.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/loader/pref/PCodeSource.java Sun Aug 21 03:59:29 2011 @@ -1,7 +1,21 @@ /* - * To change this template, choose Tools | Templates - * and open the template in the editor. + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ + package net.jini.loader.pref; import java.io.IOException; Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java Sun Aug 21 03:59:29 2011 @@ -22,25 +22,19 @@ import java.io.Serializable; import java.security.AllPermission; import java.security.Permission; import java.security.PermissionCollection; -import java.security.Permissions; -import java.security.ProtectionDomain; import java.security.UnresolvedPermission; import java.util.ArrayList; import java.util.Collections; -import java.util.ConcurrentModificationException; import java.util.Enumeration; -import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; import java.util.NoSuchElementException; import java.util.Set; -import java.util.Vector; import java.util.concurrent.ConcurrentHashMap; /** - * ConcurrentPermission's is a replacement for java.security.Permissions, - * it doesn't extend Permissions. + * ConcurrentPermission's is a replacement for java.security.Permissions. * * If there is heavy contention for one Permission class * type, concurrency may suffer due to internal synchronization. @@ -54,6 +48,9 @@ import java.util.concurrent.ConcurrentHa * of elements, but makes no guarantees that new elements will be * added during an Enumeration. * + * For this reason it is not recommended that ConcurrentPermission be + * used when the result from #elements() must be correct. + * * TODO: Serialization properly * @version 0.4 2009/11/10 * @@ -100,6 +97,7 @@ implements Serializable { if (super.isReadOnly()) { throw new SecurityException("attempt to add a Permission to a readonly Permissions object"); } + if (allPermission == true) return; // Why bother adding another permission? if (permission instanceof AllPermission) {allPermission = true;} if (permission instanceof UnresolvedPermission) { unresolved.add(new PermissionPendingResolution((UnresolvedPermission)permission)); @@ -133,13 +131,10 @@ implements Serializable { PermissionCollection pc = permsMap.get(permission.getClass()); // To stop unnecessary object creation if (pc != null && pc.implies(permission)) { return true;} if (unresolved.awaitingResolution() == 0 ) { return false; } - PermissionCollection existed = null; if (pc == null){ pc = new MultiReadPermissionCollection(permission); // once added it cannot be removed atomically. - existed = permsMap.putIfAbsent(permission.getClass(), pc); - if (existed != null) { - pc = existed; - } + PermissionCollection existed = permsMap.putIfAbsent(permission.getClass(), pc); + if (existed != null) pc = existed; } unresolved.resolveCollection(permission, pc); return pc.implies(permission); @@ -178,19 +173,6 @@ implements Serializable { return new PermissionEnumerator(perms); } -// /** -// * Attempt to resolve any unresolved permissions whose class is visible -// * from within this protection domain. -// * @param pd -// */ -// public void resolve(ProtectionDomain pd){ -// if (unresolved.awaitingResolution() == 0){return;} -// Enumeration perms = unresolved.resolvePermissions(pd); -// while (perms.hasMoreElements()){ -// add(perms.nextElement()); -// } -// } - /* * This Enumeration is not intended for concurrent access, underlying * PermissionCollection's need to be protected by MultiReadPermissionCollection's @@ -202,6 +184,18 @@ implements Serializable { * @author Peter Firmstone */ private final static class PermissionEnumerator implements Enumeration { + private final static Enumeration empty = + new Enumeration(){ + + public boolean hasMoreElements() { + return false; + } + + public Permission nextElement() { + throw new NoSuchElementException("Empty enumeration"); + } + + }; private final Iterator epc; private volatile Enumeration currentPermSet; @@ -211,7 +205,9 @@ implements Serializable { } private Enumeration getNextPermSet(){ + Enumeration result = null; if (epc.hasNext()){ + Enumeration e = null; PermissionCollection pc = epc.next(); /* We only take what we need, as we need it, minimising memory use. * Each underlying PermissionCollection adds its own Enumeration. @@ -220,36 +216,37 @@ implements Serializable { */ if ( pc instanceof PermissionPendingResolutionCollection ){ Set permissionSet = new HashSet(); - Enumeration e = pc.elements(); + e = pc.elements(); while (e.hasMoreElements()) { PermissionPendingResolution p = (PermissionPendingResolution) e.nextElement(); UnresolvedPermission up = p.asUnresolvedPermission(); permissionSet.add(up); } - return Collections.enumeration(permissionSet); - } else { - Enumeration e = pc.elements(); - return e; + e = Collections.enumeration(permissionSet); + } else if (pc != null ) { + e = pc.elements(); } - } else { - Vector empty = new Vector(0); - return empty.elements(); - } + if ( e == null ) e = empty; + result = e; + } + return result; // If null end. } - public boolean hasMoreElements() { - if (currentPermSet.hasMoreElements()){return true;} - currentPermSet = getNextPermSet(); - return currentPermSet.hasMoreElements(); + public boolean hasMoreElements() { + boolean result = false; + if (currentPermSet != null ) result = currentPermSet.hasMoreElements(); + while (result == false){ + Enumeration next = getNextPermSet(); + if (next == null) return false; + currentPermSet = next; + result = currentPermSet.hasMoreElements(); + } + return result; } - public Permission nextElement() { - if (hasMoreElements()){ - return currentPermSet.nextElement(); - } else { - throw new NoSuchElementException("PermissionEnumerator"); - } + public Permission nextElement() { + return currentPermSet.nextElement(); } } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java Sun Aug 21 03:59:29 2011 @@ -17,18 +17,14 @@ package net.jini.security; -import java.security.AccessController; import java.security.Permission; import java.security.PermissionCollection; -import java.security.PrivilegedAction; -import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.Enumeration; import java.util.HashSet; import java.util.Iterator; -import java.util.List; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.atomic.AtomicInteger; @@ -112,40 +108,6 @@ class PermissionPendingResolutionCollect } return holder; } - - //Should I be performing a privileged action? Or should it run with - // the caller thread's privileges? -// Enumeration resolvePermissions(final ProtectionDomain pd){ -// @SuppressWarnings("unchecked") -// ClassLoader cl = (ClassLoader) AccessController.doPrivileged( -// new PrivilegedAction(){ -// public Object run(){ -// ClassLoader cL = pd.getClassLoader(); -// if (cL == null){ -// cL = Thread.currentThread().getContextClassLoader(); -// } -// // This is no good because the ClassLoader is the extension loader. -// // It might stop a null ClassLoader being returned though. -// if (cL == null){ -// cL = this.getClass().getClassLoader(); -// } -// return cL; -// } -// }); -// -// -// List perms = new ArrayList(); -// Enumeration enPending = elements(); -// while (enPending.hasMoreElements()){ -// PermissionPendingResolution pendPerm = -// (PermissionPendingResolution) enPending.nextElement(); -// Permission resolved = pendPerm.resolve(cl); -// if ( resolved != null ){ -// perms.add(resolved); -// } -// } -// return Collections.enumeration(perms); -// } @Override public boolean implies(Permission permission) { Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java Sun Aug 21 03:59:29 2011 @@ -244,7 +244,7 @@ public class ConcurrentPolicyFile extend try { PermissionCollection perms = impliesCache.get(pd); if (perms != null) return perms; - perms = new Permissions(); + perms = new ConcurrentPermissions(); Iterator it = grants.iterator(); while (it.hasNext()){ PermissionGrant ge = it.next(); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/PolicyFileProvider.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/PolicyFileProvider.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/PolicyFileProvider.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/PolicyFileProvider.java Sun Aug 21 03:59:29 2011 @@ -61,7 +61,7 @@ public class PolicyFileProvider extends "net.jini.security.policy.PolicyFileProvider.basePolicyClass"; private static final String defaultBasePolicyClass = // Having our own implementation removes a platform dependency - "net.jini.security.policy.ConcurrentPolicyFile"; + "net.jini.security.policy.ConcurrentPolicyFile"; // "sun.security.provider.PolicyFile"; private static final String policyProperty = "java.security.policy"; private static final Object propertyLock = new Object(); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java Sun Aug 21 03:59:29 2011 @@ -422,7 +422,7 @@ public class PolicyUtils { */ public static PermissionCollection toPermissionCollection(Collection perms) { - PermissionCollection pc = new Permissions(); + PermissionCollection pc = new ConcurrentPermissions(); if (perms != null) { for (Iterator iter = perms.iterator(); iter.hasNext();) { Permission element = iter.next(); Modified: river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/PolicyEntryTest.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/PolicyEntryTest.java?rev=1159939&r1=1159938&r2=1159939&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/PolicyEntryTest.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/PolicyEntryTest.java Sun Aug 21 03:59:29 2011 @@ -81,7 +81,8 @@ public class PolicyEntryTest extends Tes } /** - * Null or empty set of Principals of PolicyEntry implies any Principals; + * Null or empty set of Principals of PolicyEntry implies any Principals + * if CodeSource != null; * otherwise tested set must contain all Principals of PolicyEntry. */ public void testImpliesPrincipals() { @@ -99,7 +100,7 @@ public class PolicyEntryTest extends Tes new UnresolvedPrincipal("a.b.c", "XXX"), new UnresolvedPrincipal("e.f.g", "ZZZ") }; - assertTrue(pe.implies( (CodeSource) null, (Principal[]) null)); + assertFalse(pe.implies( (CodeSource) null, (Principal[]) null)); assertTrue(pe.implies( (CodeSource) null, pp1)); // pe = new PolicyEntry((CodeSource)null, new HashSet(),