river-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From peter_firmst...@apache.org
Subject svn commit: r1222962 - in /river/jtsk/skunk/peterConcurrentPolicy: qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/ qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/ qa/src/com/sun/jini/test/spec/security/basicproxypreparer/ ...
Date Sat, 24 Dec 2011 11:38:28 GMT
Author: peter_firmstone
Date: Sat Dec 24 11:38:28 2011
New Revision: 1222962

URL: http://svn.apache.org/viewvc?rev=1222962&view=rev
Log:
River-323 URIGrant replaces CodeSourceGrant functionality to avoid DNS lookup.

Modified:
    river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
    river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td
    river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
    river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java
    river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
    river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
    river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
    river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
    river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
    river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java

Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
Sat Dec 24 11:38:28 2011
@@ -8,3 +8,6 @@ getContextJarFile=<file:lib/qa1-start-cb
 restoreContextJarFile=<file:lib/qa1-start-cb2.jar>
 checkContextActionJarFile=<file:lib/qa1-start-cb3.jar>
 include0=../start.properties
+#testjvmargs=-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
\ No newline at end of file

Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td
Sat Dec 24 11:38:28 2011
@@ -7,3 +7,6 @@ FILEPOLICY01=<url: policyProviderGrant01
 FILEPOLICY02=<url: policyProviderGrant02.policy>
 FILEPOLICYUMBRELLA=<url: policyProviderUmbrellaGrant.policy>
 com.sun.jini.qa.harness.securityproperties=<url: ../securityprovider.properties>
+#testjvmargs=-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}

Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
Sat Dec 24 11:38:28 2011
@@ -4,4 +4,6 @@ com.sun.jini.qa.harness.runactivation=fa
 com.sun.jini.qa.harness.runjiniserver=false
 com.sun.jini.qa.harness.runkitserver=false
 com.sun.jini.qa.harness.shared=false
-
+#testjvmargs=-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
\ No newline at end of file

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java
Sat Dec 24 11:38:28 2011
@@ -466,7 +466,11 @@ final class Target {
                 }
             }), securityContext.getAccessControlContext());
         } catch (PrivilegedActionException e) {
-            throw (IOException) e.getException();
+            Exception ex = e.getException();
+            if ( ex instanceof IOException ) throw (IOException) ex;
+            if ( ex instanceof InterruptedException ) {
+                Thread.currentThread().interrupt();
+            }
         } finally {
             if (ccl != savedCcl || savedCcl != t.getContextClassLoader()) {
                 t.setContextClassLoader(savedCcl);

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
Sat Dec 24 11:38:28 2011
@@ -5,14 +5,44 @@ import java.security.Permission;
 import java.util.Comparator;
 
 /**
- *
- * @author peter
+ * A Comparator for Set's of permissions that avoids using equals and hashCode()
+ * 
+ * @author Peter Firmstone.
  */
 public class PermissionComparator implements Comparator<Permission> {
 
-    @Override
     public int compare(Permission o1, Permission o2) {
-        throw new UnsupportedOperationException("Not supported yet.");
+        Class c1 = o1.getClass();
+        String name1 = o1.getName();
+        String actions1 = o1.getActions();
+        Class c2 = o2.getClass();
+        String name2 = o2.getName();
+        String actions2 = o2.getActions();
+        int hash1 = hashCode(c1, name1, actions1);
+        int hash2 = hashCode(c2, name2, actions2);
+        if (hash1 < hash2) return -1;
+        if (hash1 > hash2) return 1;
+        // Identical hash codes
+        int comp = -1;
+        if (c1.equals(c2) ){
+            comp = name1.compareTo(name2);
+            if ( comp == 0 ) {
+                return actions1.compareTo(actions2);
+            }
+            return comp;
+        }
+        // If we get here, class is not equal.
+        comp = c1.toString().compareTo(c2.toString());
+        if (comp == 0 ) return -1;  // should never happen.
+        return comp;
     }
-    
+        
+    private int hashCode(Class cl, String name, String actions) {
+        int hash = 3;
+        hash = 67 * hash + cl.hashCode();
+        hash = 67 * hash + name.hashCode();
+        hash = 67 * hash + actions.hashCode();
+        return hash;
+    }
+
 }

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
Sat Dec 24 11:38:28 2011
@@ -289,7 +289,10 @@ public class ConcurrentPolicyFile extend
                         Collection<Permission> c = ge.getPermissions();
                         Iterator<Permission> i = c.iterator();
                         while (i.hasNext()){
-                            perms.add(i.next());
+                            Permission p = i.next();
+                            perms.add(p);
+                            // Don't stuff around finish early if you can.
+                            if (p instanceof AllPermission) return perms;
                         }
                     }
                 }

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
Sat Dec 24 11:38:28 2011
@@ -28,10 +28,12 @@ import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Comparator;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
@@ -43,6 +45,7 @@ import java.util.concurrent.Future;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import net.jini.security.PermissionComparator;
 import org.apache.river.api.delegates.DelegatePermission;
 import org.apache.river.impl.util.CollectionsConcurrent;
 import org.apache.river.impl.util.RC;
@@ -66,6 +69,7 @@ extends SecurityManager implements Deleg
     private final Guard g;
     private final Action action;
     private final ExecutorService executor;
+    private final Comparator<Referrer<Permission>> permCompare;
     
     public DelegateCombinerSecurityManager(){
         super();
@@ -84,7 +88,11 @@ extends SecurityManager implements Deleg
         double blocking_coefficient = 0.8; // 0 CPU intensive to 0.9 IO intensive
         int numberOfCores = Runtime.getRuntime().availableProcessors();
         int poolSize = (int) (numberOfCores / ( 1 - blocking_coefficient));
+        // If we decide to stay with an ExecutorService, we need to have a zero
+        // length SynchronousQueue and an Executor that hands the task to the calling
+        // thread if no pool threads are available.
         executor = Executors.newFixedThreadPool(poolSize);
+        permCompare = RC.comparator(new PermissionComparator());
     }
     
     @Override
@@ -96,7 +104,7 @@ extends SecurityManager implements Deleg
         Set<Permission> checkedPerms = checked.get(executionContext);
         if (checkedPerms == null){
             Set<Referrer<Permission>> internal = 
-                    CollectionsConcurrent.multiReadSet(new HashSet<Referrer<Permission>>(96));
+                    CollectionsConcurrent.multiReadSet(new TreeSet<Referrer<Permission>>(permCompare));
             checkedPerms = RC.set(internal, Ref.SOFT);
             Set<Permission> existed = checked.putIfAbsent(executionContext, checkedPerms);
             if (existed != null) checkedPerms = existed;
@@ -132,9 +140,10 @@ extends SecurityManager implements Deleg
         } 
         // Normal execution, same as SecurityManager.
         executionContext.checkPermission(perm);
+        /* It's ok to cache SocketPermission if we use a comparator */
         // If we get to here, no exceptions were thrown, we have permission.
         // Don't cache SocketPermission.
-        if (perm instanceof SocketPermission) return;
+        // if (perm instanceof SocketPermission) return;
         checkedPerms.add(perm);
     }
 

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
Sat Dec 24 11:38:28 2011
@@ -109,8 +109,8 @@ class PermissionGrantBuilderImp extends 
         if (context < 0) {
             throw new IllegalStateException("context must be >= 0");
         }
-        if (context > 4) {
-            throw new IllegalStateException("context must be <= 4");
+        if (context > 5) {
+            throw new IllegalStateException("context must be <= 5");
         }
         this.context = context;
         return this;

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
Sat Dec 24 11:38:28 2011
@@ -31,6 +31,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Iterator;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  *
@@ -108,14 +110,23 @@ class URIGrant extends CertificateGrant 
         // sun.security.provider.PolicyFile compatibility for null CodeSource is false.
         // see com.sun.jini.test.spec.policyprovider.dynamicPolicyProvider.GrantPrincipal
test.
         if (codeSource == null)  return false;
+        URL url = codeSource.getLocation();
+        if (url == null) return false;
         if (location.isEmpty()) return true;
         int l = location.size();
         URI[] uris = location.toArray(new URI[l]);
         for (int i = 0; i<l ; i++ ){
             if (uris[i] == null) return true;
         }
+        URI implied = null;
+        try {
+            implied = url.toURI();
+        } catch (URISyntaxException ex) {
+            ex.printStackTrace(System.err);
+            return false;
+        }
         for (int i = 0; i<l ; i++){
-            if (implies(uris[i], codeSource)) return true;
+            if (implies(uris[i], implied)) return true;
         }
         return false;
     }
@@ -185,7 +196,7 @@ class URIGrant extends CertificateGrant 
      * @return {@code true} if the argument code source is implied by this
      *         {@code CodeSource}, otherwise {@code false}.
      */
-    private static boolean implies(URI location, CodeSource cs) {
+    private static boolean implies(URI grant, URI implied) {
         //
         // Here, javadoc:N refers to the appropriate item in the API spec for 
         // the CodeSource.implies()
@@ -213,31 +224,31 @@ class URIGrant extends CertificateGrant 
 //        }
 
         // javadoc:3
-        if (location != null) {
+        if (grant != null) {
             
             //javadoc:3.1
-            URL otherURL = cs.getLocation();
-            if ( otherURL == null) {
-                return false;
-            }
-            URI otherURI;
-            try {
-                otherURI = otherURL.toURI();
-            } catch (URISyntaxException ex) {
-                return false;
-            }
+//            URL otherURL = cs.getLocation();
+//            if ( otherURL == null) {
+//                return false;
+//            }
+//            URI otherURI;
+//            try {
+//                otherURI = otherURL.toURI();
+//            } catch (URISyntaxException ex) {
+//                return false;
+//            }
             //javadoc:3.2
-            if (location.equals(otherURI)) {
+            if (grant.equals(implied)) {
                 return true;
             }
             //javadoc:3.3
-            if (!location.getSchemeSpecificPart().equals(otherURI.getSchemeSpecificPart()))
{
+            if (!grant.getScheme().equals(implied.getScheme())) {
                 return false;
             }
             //javadoc:3.4
-            String thisHost = location.getHost();
+            String thisHost = grant.getHost();
             if (thisHost != null) {
-                String thatHost = otherURI.getHost();
+                String thatHost = implied.getHost();
                 if (thatHost == null) {
                     return false;
                 }
@@ -332,16 +343,17 @@ class URIGrant extends CertificateGrant 
             } // if (this.location.getHost() != null)
 
             //javadoc:3.5
-            if (location.getPort() != -1) {
-                if (location.getPort() != otherURI.getPort()) {
+            if (grant.getPort() != -1) {
+                if (grant.getPort() != implied.getPort()) {
                     return false;
                 }
             }
 
             //javadoc:3.6
-            // for compatbility with URL.getFile, the Query is concatenated to the path.
-            String thisFile = location.getPath() + location.getQuery();
-            String thatFile = otherURI.getPath() + otherURI.getQuery();
+            // compatbility with URL.getFile
+            String thisFile = grant.getPath();
+            String thatFile = implied.getPath();
+            if (thatFile == null) return false;
 
             if (thisFile.endsWith("/-")) { //javadoc:3.6."/-" //$NON-NLS-1$
                 if (!thatFile.startsWith(thisFile.substring(0, thisFile
@@ -372,8 +384,8 @@ class URIGrant extends CertificateGrant 
 
             //javadoc:3.7
             // A URL Anchor is a URI Fragment.
-            if (location.getFragment() != null) {
-                if (!location.getFragment().equals(otherURI.getFragment())) {
+            if (grant.getFragment() != null) {
+                if (!grant.getFragment().equals(implied.getFragment())) {
                     return false;
                 }
             }

Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java
(original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java
Sat Dec 24 11:38:28 2011
@@ -27,6 +27,7 @@ import java.io.File;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
+import java.net.URI;
 import java.net.URL;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -196,8 +197,8 @@ public class DefaultPolicyParser impleme
          * ANSWER: No we just make a CodeSourceSetGrant, that contains multiple
          * CodeSource.
          */
-        URL codebase = null;
-        List<URL> codebases = new ArrayList<URL>();
+        URI codebase = null;
+        List<URI> codebases = new ArrayList<URI>(8);
         Certificate[] signers = null;
         Set<Principal> principals = new HashSet<Principal>();
         Set<Permission> permissions = new HashSet<Permission>();
@@ -208,13 +209,13 @@ public class DefaultPolicyParser impleme
                     Collection<String> cbstr = expandURLs(cb, system);
                     Iterator<String> it = cbstr.iterator();
                     while (it.hasNext()){
-                        codebases.add(new URL(it.next()));
+                        codebases.add(new URI(it.next()));
                     }
                 } catch (ExpansionFailedException e) {
-                    codebase = new URL(cb);
+                    codebases.add(new URI(cb));
                 }
             } else {
-                codebase = new URL(cb);
+                codebases.add(new URI(cb));
             }
         }
         if ( ge.getSigners() != null) {
@@ -252,21 +253,15 @@ public class DefaultPolicyParser impleme
             }
         }
         PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder();
-        if ( codebase != null ) {
-            pgb.codeSource(new CodeSource(codebase, signers));
-        } else if (codebases.size() == 1) {
-            pgb.codeSource(new CodeSource(codebases.get(0), signers));
-        } else if (codebases.size() > 1 ){
-            pgb.multipleCodeSources();
-            Iterator<URL> iter = codebases.iterator();
-            while (iter.hasNext()){
-                pgb.codeSource(new CodeSource(iter.next(), signers));
-            }
+        Iterator<URI> iter = codebases.iterator();
+        while (iter.hasNext()){
+            pgb.uri(iter.next());
         }
         return pgb
+            .certificates(signers)
             .principals(principals.toArray(new Principal[principals.size()]))
             .permissions(permissions.toArray(new Permission[permissions.size()]))
-            .context(PermissionGrantBuilder.CODESOURCE)
+            .context(PermissionGrantBuilder.URI)
             .build();
     }
     



Mime
View raw message