Return-Path: X-Original-To: apmail-river-commits-archive@www.apache.org Delivered-To: apmail-river-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 59209922B for ; Mon, 9 Jan 2012 13:13:58 +0000 (UTC) Received: (qmail 55243 invoked by uid 500); 9 Jan 2012 13:13:56 -0000 Delivered-To: apmail-river-commits-archive@river.apache.org Received: (qmail 55125 invoked by uid 500); 9 Jan 2012 13:13:49 -0000 Mailing-List: contact commits-help@river.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@river.apache.org Delivered-To: mailing list commits@river.apache.org Received: (qmail 54988 invoked by uid 99); 9 Jan 2012 13:13:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jan 2012 13:13:24 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jan 2012 13:13:16 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 86C9A2388900; Mon, 9 Jan 2012 13:12:56 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1229137 [1/3] - in /river/jtsk/skunk/peterConcurrentPolicy: qa/harness/policy/ qa/src/com/sun/jini/qa/harness/ qa/src/com/sun/jini/qa/resources/ qa/src/com/sun/jini/test/impl/start/ qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovid... Date: Mon, 09 Jan 2012 13:12:54 -0000 To: commits@river.apache.org From: peter_firmstone@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120109131256.86C9A2388900@eris.apache.org> Author: peter_firmstone Date: Mon Jan 9 13:12:52 2012 New Revision: 1229137 URL: http://svn.apache.org/viewvc?rev=1229137&view=rev Log: River-323. Removed caches from the policy providers DynamicPolicyProvider and ConcurrentPolicyFile. Added a new Interface ConcurrentPolicy and set up the QA tests to execute with a SecurityManager from startup, this required adding some additional permission grants to some policy files. Tidy up some corner cases with URLGrant and DelegateCombinerSecurityManager, setting context classloader for Executor threads, and avoiding circular permission checks, so all tests now pass. Added a background garbage cleaning Executor to ReferenceProcessor. Added: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties (with props) river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java (with props) Removed: river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/se/ Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrant.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PrincipalGrant.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyScanner.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/Messages.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/RC.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceCollection.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceIterator.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceList.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceMap.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceProcessor.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceSet.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferencedQueue.java river/jtsk/skunk/peterConcurrentPolicy/test/src/net/jini/security/DynamicPermissionCollectionTest.java river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/DefaultPolicyParserTest.java river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/util/ReferenceCollectionTest.java Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy Mon Jan 9 13:12:52 2012 @@ -18,6 +18,12 @@ grant codebase "file:${com.sun.jini.jsk. permission java.security.AllPermission "", ""; }; +grant { + permission com.sun.jini.phoenix.ExecOptionPermission "*"; + // for a start test + permission com.sun.jini.phoenix.ExecPermission "/bin/javax"; +}; + grant principal javax.security.auth.x500.X500Principal "CN=Phoenix" { permission com.sun.jini.phoenix.InstantiatorPermission "*"; @@ -28,7 +34,7 @@ grant principal javax.security.auth.kerb permission com.sun.jini.phoenix.InstantiatorPermission "*"; }; -grant codebase "file:${com.sun.jini.qa.home}${/}lib{/}harness-killer.jar" { +grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}harness-killer.jar" { permission com.sun.jini.start.SharedActivationPolicyPermission "jar:file:${com.sun.jini.qa.harness.harnessJar}!/harness/policy/all.policy"; permission com.sun.jini.start.SharedActivationPolicyPermission "jar:file:${com.sun.jini.qa.harness.harnessJar}!/harness/policy/policy.all"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy Mon Jan 9 13:12:52 2012 @@ -74,9 +74,20 @@ grant { // needed by some io tests grant { - permission java.lang.AllPermission "", ""; permission java.lang.RuntimePermission "setIO"; permission java.lang.RuntimePermission "setFactory"; permission java.net.SocketPermission "*:1024-", "connect,accept"; permission java.util.PropertyPermission "com.sun.jini.qa.spec.io.util.FakeIntegrityVerifier.throwException", "write"; }; + +// needed when using a SecurityManager from command line + +grant { + permission java.io.FilePermission "-", "read"; +}; + +grant { + permission com.sun.jini.phoenix.ExecOptionPermission "*"; + // for a start test + permission com.sun.jini.phoenix.ExecPermission "/bin/javax"; +}; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java Mon Jan 9 13:12:52 2012 @@ -29,12 +29,16 @@ import java.util.Collections; import java.util.Enumeration; import java.util.HashSet; import java.util.Iterator; +import java.util.List; import java.util.StringTokenizer; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; +import net.jini.security.ConcurrentPermissions; +import net.jini.security.policy.ConcurrentPolicy; import net.jini.security.policy.PolicyInitializationException; import net.jini.security.policy.PolicyFileProvider; +import org.apache.river.api.security.PermissionGrant; /** * Security policy provider that delegates to a collection of underlying @@ -44,11 +48,11 @@ import net.jini.security.policy.PolicyFi * access to the same file, a check for read,write access would still * fail. */ -public class MergedPolicyProvider extends Policy { +public class MergedPolicyProvider extends Policy implements ConcurrentPolicy{ /** class state */ - private static final Lock lock = new ReentrantLock();; // protects first - private static boolean first = false; // Why is first static? +// private static final Lock lock = new ReentrantLock();; // protects first +// private static boolean first = false; // Why is first static? /** the collection of underlying policies */ private final Collection policies ; @@ -111,25 +115,37 @@ public class MergedPolicyProvider extend * @param source the CodeSource */ public PermissionCollection getPermissions(CodeSource source) { - Iterator it = policies.iterator(); - if (it.hasNext()) { - PermissionCollection pc = - ((Policy) it.next()).getPermissions(source); - while (it.hasNext()) { - PermissionCollection pc2 = - ((Policy) it.next()).getPermissions(source); - Enumeration en = pc2.elements(); - while (en.hasMoreElements()) { - Permission perm = (Permission) en.nextElement(); - if (!pc.implies(perm)) { - pc.add(perm); - } - } - } - return pc; - } else { - throw new IllegalStateException("No policies in provider"); - } + if (policies.isEmpty()) throw new IllegalStateException("No policies in provider"); + PermissionCollection pc = new ConcurrentPermissions(); + Iterator it = policies.iterator(); + while (it.hasNext()){ + Policy policy = it.next(); + PermissionCollection col = policy.getPermissions(source); + Enumeration e = col.elements(); + while(e.hasMoreElements()){ + pc.add(e.nextElement()); + } + } + return pc; +// Iterator it = policies.iterator(); +// if (it.hasNext()) { +// PermissionCollection pc = +// ((Policy) it.next()).getPermissions(source); +// while (it.hasNext()) { +// PermissionCollection pc2 = +// ((Policy) it.next()).getPermissions(source); +// Enumeration en = pc2.elements(); +// while (en.hasMoreElements()) { +// Permission perm = (Permission) en.nextElement(); +// if (!pc.implies(perm)) { +// pc.add(perm); +// } +// } +// } +// return pc; +// } else { +// throw new IllegalStateException("No policies in provider"); +// } } /** @@ -139,60 +155,76 @@ public class MergedPolicyProvider extend * * @param domain the ProtectionDomain */ +// public PermissionCollection getPermissions(ProtectionDomain domain) { +// Iterator it = policies.iterator(); +// ArrayList list = new ArrayList(64); +// boolean first = false; +//// lock.lock(); +//// try { +// if (it.hasNext()) { +// PermissionCollection pc = +// ((Policy) it.next()).getPermissions(domain); +// if (first) { +// first = false; +// Enumeration en = pc.elements(); +// list.add("BASE PERMISSIONS for domain " + domain); +// while (en.hasMoreElements()) { +// Permission perm = (Permission) en.nextElement(); +// list.add(perm.toString()); +// } +// first = true; +// } +// while (it.hasNext()) { +// PermissionCollection pc2 = +// ((Policy) it.next()).getPermissions(domain); +// Enumeration en = pc2.elements(); +// while (en.hasMoreElements()) { +// Permission perm = (Permission) en.nextElement(); +// if (!pc.implies(perm)) { +// if (first) { +// first = false; +// list.add("checking " + perm + " and adding"); +// first = true; +// } +// pc.add(perm); +// } else { +// if (first) { +// first = false; +// list.add("checking " + perm + " and not adding"); +// first = true; +// } +// } +// } +// } +// if (first) { +// first = false; +// for (int i = 0; i < list.size(); i++) { +// System.out.println((String) list.get(i)); +// } +// first = true; +// } +// return pc; +// } else { +// throw new IllegalStateException("No policies in provider"); +// } +//// }finally{ +//// lock.unlock(); +//// } +// } + public PermissionCollection getPermissions(ProtectionDomain domain) { - Iterator it = policies.iterator(); - ArrayList list = new ArrayList(64); - lock.lock(); - try { - if (it.hasNext()) { - PermissionCollection pc = - ((Policy) it.next()).getPermissions(domain); - if (first) { - first = false; - Enumeration en = pc.elements(); - list.add("BASE PERMISSIONS for domain " + domain); - while (en.hasMoreElements()) { - Permission perm = (Permission) en.nextElement(); - list.add(perm.toString()); - } - first = true; - } - while (it.hasNext()) { - PermissionCollection pc2 = - ((Policy) it.next()).getPermissions(domain); - Enumeration en = pc2.elements(); - while (en.hasMoreElements()) { - Permission perm = (Permission) en.nextElement(); - if (!pc.implies(perm)) { - if (first) { - first = false; - list.add("checking " + perm + " and adding"); - first = true; - } - pc.add(perm); - } else { - if (first) { - first = false; - list.add("checking " + perm + " and not adding"); - first = true; - } - } - } - } - if (first) { - first = false; - for (int i = 0; i < list.size(); i++) { - System.out.println((String) list.get(i)); - } - first = true; - } - return pc; - } else { - throw new IllegalStateException("No policies in provider"); + if (policies.isEmpty()) throw new IllegalStateException("No policies in provider"); + PermissionCollection pc = new ConcurrentPermissions(); + Iterator it = policies.iterator(); + while (it.hasNext()){ + Policy policy = it.next(); + PermissionCollection col = policy.getPermissions(domain); + Enumeration e = col.elements(); + while(e.hasMoreElements()){ + pc.add(e.nextElement()); } - }finally{ - lock.unlock(); } + return pc; } /** @@ -227,4 +259,71 @@ public class MergedPolicyProvider extend p.refresh(); } } + + @Override + public boolean isConcurrent() { + if (policies.isEmpty()) throw new IllegalStateException("No policies in provider"); + Iterator it = policies.iterator(); + while (it.hasNext()){ + Policy p = it.next(); + if (p instanceof ConcurrentPolicy){ + if (!((ConcurrentPolicy)p).isConcurrent()) return false; + } else { + return false; + } + } + return true; + } + + public PermissionGrant[] getPermissionGrants(ProtectionDomain domain) { + if (policies.isEmpty()) throw new IllegalStateException("No policies in provider"); + List perms = new ArrayList(policies.size()); + Iterator it = policies.iterator(); + int arrayLength = 0; + while (it.hasNext()){ + Policy p = it.next(); + if (p instanceof ConcurrentPolicy){ + PermissionGrant [] g = ((ConcurrentPolicy)p).getPermissionGrants(domain); + arrayLength = arrayLength + g.length; + perms.add(g); + } + } + PermissionGrant [] result = new PermissionGrant[arrayLength]; + int index = 0; + Iterator grants = perms.iterator(); + while (grants.hasNext()){ + PermissionGrant [] g = grants.next(); + int l = g.length; + for (int i = 0; i < l; i++, index++){ + result[index] = g[i]; + } + } + return result; + } + + public PermissionGrant[] getPermissionGrants() { + if (policies.isEmpty()) throw new IllegalStateException("No policies in provider"); + List perms = new ArrayList(policies.size()); + Iterator it = policies.iterator(); + int arrayLength = 0; + while (it.hasNext()){ + Policy p = it.next(); + if (p instanceof ConcurrentPolicy){ + PermissionGrant [] g = ((ConcurrentPolicy)p).getPermissionGrants(); + arrayLength = arrayLength + g.length; + perms.add(g); + } + } + PermissionGrant [] result = new PermissionGrant[arrayLength]; + int index = 0; + Iterator grants = perms.iterator(); + while (grants.hasNext()){ + PermissionGrant [] g = grants.next(); + int l = g.length; + for (int i = 0; i < l; i++, index++){ + result[index] = g[i]; + } + } + return result; + } } Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties Mon Jan 9 13:12:52 2012 @@ -210,10 +210,11 @@ com.sun.jini.qa.harness.actdeathdelay=5 # system property if that property is defined. The '-OD' marker flags this # property as optional. If the property is not defined as a system property # or in any configuration file, then the property will not be set on the VM. -# +# # You might find the following debugging options useful # -Djava.security.debug=access:failure,\ # -Djava.security.manager=com.sun.jini.tool.ProfilingSecurityManager,\ +# -Djava.security.manager=org.apache.river.api.security.DelegateCombinerSecurityManager,\ # -Dpolicy.provider=net.jini.security.policy.DynamicPolicyProvider,\ # -Djava.security.manager=java.rmi.RMISecurityManager,\ Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td Mon Jan 9 13:12:52 2012 @@ -3,7 +3,10 @@ testCategories=start,start_impl #testClasspath=${com.sun.jini.qa.home}$/lib$/harness.jar$:${com.sun.jini.qa.home}$/lib$/qa1-start-tests.jar$:${com.sun.jini.qa.home}$/lib$/$qajinidep$:${com.sun.jini.jsk.home}$/lib$/jsk-platform.jar testClasspath=$:$:${com.sun.jini.jsk.home}$/lib$/jsk-platform.jar$:${com.sun.jini.jsk.home}$/lib$/jsk-lib.jar - +#testjvmargs=\ +#-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} /******************************************************************************* * Test-specific property files @@ -15,7 +18,8 @@ com.sun.jini.test.impl.start.SecurityTes com.sun.jini.test.impl.start.SecurityTest1.codebase=http://${HOST}:${com.sun.jini.test.port}/qa1-start-testservice1-dl.jar com.sun.jini.test.impl.start.SecurityTest1.policyfile= com.sun.jini.test.impl.start.SecurityTest1.log=none -com.sun.jini.test.impl.start.SecurityTest1.serverjvmargs= +com.sun.jini.test.impl.start.SecurityTest1.serverjvmargs=-Dnet.jini.security.policy.PolicyFileProvider.basePolicyClass=sun.security.provider.PolicyFile,\ +-Dnet.jini.security.policy.DynamicPolicyProvider.basePolicyClass=net.jini.security.policy.PolicyFileProvider com.sun.jini.test.impl.start.SecurityTest1.serviceConfiguration=/testservice.config> com.sun.jini.test.impl.start.SecurityTest1.starterConfiguration=/testservice.config> com.sun.jini.test.impl.start.SecurityTest1.host=master Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td Mon Jan 9 13:12:52 2012 @@ -1,3 +1,7 @@ testClass=ServiceStarterCreateBadTransientServiceTest testCategories=start,start_impl include0=start.properties +#testjvmargs=\ +#-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} \ No newline at end of file Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td Mon Jan 9 13:12:52 2012 @@ -1,3 +1,7 @@ testClass=SharedActivationPolicyPermissionActionsTest testCategories=start,start_impl include0=start.properties +#testjvmargs=\ +#-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy Mon Jan 9 13:12:52 2012 @@ -25,8 +25,14 @@ grant codebase "file:${com.sun.jini.qa.h permission java.security.AllPermission "", ""; }; -grant codeBase "file:${java.home}/lib/ext/*" { - permission java.security.AllPermission; +//grant codeBase "file:${java.home}/lib/ext/*" { +// permission java.security.AllPermission; +//}; + +// For SecurityManager used from command line +grant codeBase "file:${com.sun.jini.qa.home}${/}lib${/}qa1-start-tests.jar" { + permission java.io.FilePermission "-", "read"; + permission java.lang.RuntimePermission "getProtectionDomain"; }; grant { Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td Mon Jan 9 13:12:52 2012 @@ -9,7 +9,6 @@ restoreContextJarFile= include0=../start.properties #testjvmargs=\ -#-Djava.security.debug=access,\ #-Xdebug,\ #-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ #${testjvmargs} \ No newline at end of file Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy Mon Jan 9 13:12:52 2012 @@ -25,8 +25,15 @@ grant codebase "file:${com.sun.jini.qa.h permission java.security.AllPermission "", ""; }; -grant codeBase "file:${java.home}/lib/ext/*" { - permission java.security.AllPermission; +grant codeBase "file:${{java.ext.dirs}}/*" { + permission java.security.AllPermission; +}; + + +// For SecurityManager used from command line +grant codeBase "file:${com.sun.jini.qa.home}${/}lib${/}qa1-start-tests.jar" { + //permission java.io.FilePermission "-", "read"; + permission java.lang.RuntimePermission "getProtectionDomain"; }; grant { @@ -39,10 +46,12 @@ grant { permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setSecurityManager"; + permission java.lang.RuntimePermission "getProtectionDomain"; permission java.util.PropertyPermission "java.security.policy", "read,write"; permission java.security.SecurityPermission "getProperty.*"; permission java.security.SecurityPermission "setPolicy"; + permission java.security.SecurityPermission "getPolicy"; permission java.util.PropertyPermission "*", "read"; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy Mon Jan 9 13:12:52 2012 @@ -8,12 +8,19 @@ grant codebase "file:${com.sun.jini.test }; grant { - permission java.security.AllPermission "", ""; permission java.util.PropertyPermission "java.system.class.loader", "read"; permission java.io.FilePermission "${com.sun.jini.test.home}${/}lib${/}-", "read"; permission java.util.PropertyPermission "com.sun.jini.reggie.enableImplToStubReplacement", "read"; }; +grant { + permission com.sun.jini.phoenix.ExecOptionPermission "*"; + // for a start test + permission com.sun.jini.phoenix.ExecPermission "/bin/javax"; + permission java.util.PropertyPermission "FILEPOLICY02", "read"; + permission java.security.SecurityPermission "getPolicy"; +}; + grant codebase "file:${com.sun.jini.test.home}${/}lib${/}qa1-start-tests.jar" { permission java.security.AllPermission "", ""; }; Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy Mon Jan 9 13:12:52 2012 @@ -43,6 +43,11 @@ grant principal "server" { "accept,connect"; }; +grant { + permission java.lang.RuntimePermission "setIO"; + permission java.lang.RuntimePermission "getenv.SOUL"; +}; + /** * The following grant is only used during test development when the * tests do not reside inside qa1.jar Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td Mon Jan 9 13:12:52 2012 @@ -4,3 +4,7 @@ testPolicyfile=policyProviderGrant01.pol com.sun.jini.qa.harness.runkitserver=false com.sun.jini.qa.harness.runjiniserver=false com.sun.jini.qa.harness.securityproperties= +#testjvmargs=\ +#-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} \ No newline at end of file Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td Mon Jan 9 13:12:52 2012 @@ -3,4 +3,5 @@ testCategories=policyprovider,policyprov testPolicyfile=policyProviderNoAccessClass.policy com.sun.jini.qa.harness.runkitserver=false com.sun.jini.qa.harness.runjiniserver=false -com.sun.jini.qa.harness.securityproperties= \ No newline at end of file +com.sun.jini.qa.harness.securityproperties= +#com.sun.jini.qa.harness.securityproperties= Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy Mon Jan 9 13:12:52 2012 @@ -23,6 +23,10 @@ grant codebase "file:${com.sun.jini.qa.h //permission java.lang.RuntimePermission "modifyThreadGroup"; }; +grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}jiniharness.jar" { + permission java.security.AllPermission "", ""; +}; + grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}jinitests.jar" { }; @@ -58,6 +62,7 @@ grant { permission java.security.SecurityPermission "getDomainCombiner"; permission java.security.SecurityPermission "createAccessControlContext"; permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; + permission java.util.PropertyPermission "FILEPOLICY02", "read"; }; /* Added: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties?rev=1229137&view=auto ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties (added) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties Mon Jan 9 13:12:52 2012 @@ -0,0 +1,6 @@ +# Java security properties file which overrides the harness supplied +# file so that the MergedPolicyProvider is not used, which would interfere +# with the correct operation of these tests +# The test only checks for permission to access class in package sun.security.provider +net.jini.security.policy.DynamicPolicyProvider.basePolicyClass=net.jini.security.policy.PolicyFileProvider +net.jini.security.policy.PolicyFileProvider.basePolicyClass=sun.security.provider.PolicyFile \ No newline at end of file Propchange: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties ------------------------------------------------------------------------------ svn:eol-style = native Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy Mon Jan 9 13:12:52 2012 @@ -19,6 +19,10 @@ grant codebase "file:${com.sun.jini.jsk. permission java.security.AllPermission "", ""; }; +grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}jiniharness.jar" { + permission java.security.AllPermission "", ""; +}; + /* end grants required for SecurityManager during startup. */ grant { Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java Mon Jan 9 13:12:52 2012 @@ -33,15 +33,18 @@ import java.security.Policy; import java.security.ProtectionDomain; import java.security.Security; import java.security.SecurityPermission; +import java.util.Map; +import java.util.WeakHashMap; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReadWriteLock; -import java.util.concurrent.locks.ReentrantReadWriteLock; +import java.util.concurrent.locks.ReentrantLock; import net.jini.security.SecurityContext; +import net.jini.security.policy.ConcurrentPolicy; import net.jini.security.policy.DynamicPolicy; import net.jini.security.policy.PolicyInitializationException; import net.jini.security.policy.SecurityContextSource; +import org.apache.river.api.security.PermissionGrant; import org.apache.river.impl.util.RC; import org.apache.river.impl.util.Ref; import org.apache.river.impl.util.Referrer; @@ -74,7 +77,7 @@ import org.apache.river.impl.util.Referr * @since 2.0 */ public class AggregatePolicyProvider - extends Policy implements DynamicPolicy, SecurityContextSource + extends Policy implements DynamicPolicy, SecurityContextSource, ConcurrentPolicy { private static final String mainPolicyClassProperty = "com.sun.jini.start.AggregatePolicyProvider.mainPolicyClass"; @@ -93,21 +96,19 @@ public class AggregatePolicyProvider } }); - private final ConcurrentMap subPolicies = - RC.concurrentMap( - new ConcurrentHashMap,Referrer>(), - Ref.WEAK, Ref.STRONG); + private final Map subPolicies = new WeakHashMap();// protected by lock // The cache is used to avoid repeat security checks, the subPolicies map // cannot be used to cache child ClassLoaders because their policy could // change if a policy is updated. private final ConcurrentMap subPolicyChildClassLoaderCache = // put protected by policyRead RC.concurrentMap( // clear protected by policyWrite new ConcurrentHashMap,Referrer>(), - Ref.WEAK, Ref.STRONG); - private final ReadWriteLock policyUpdate = new ReentrantReadWriteLock(); - private final Lock policyRead = policyUpdate.readLock(); - private final Lock policyWrite = policyUpdate.writeLock(); - private Policy mainPolicy; // protected by policyUpdate + Ref.WEAK_IDENTITY, Ref.STRONG); +// private final ReadWriteLock policyUpdate = new ReentrantReadWriteLock(); +// private final Lock policyRead = policyUpdate.readLock(); +// private final Lock policyWrite = policyUpdate.writeLock(); + private final Lock lock = new ReentrantLock(); + private volatile Policy mainPolicy; // protected by policyUpdate /** * Creates a new AggregatePolicyProvider instance, containing @@ -230,6 +231,30 @@ public class AggregatePolicyProvider public void refresh() { getCurrentSubPolicy().refresh(); } + + public boolean isConcurrent() { + Policy p = getCurrentSubPolicy(); + if (p instanceof ConcurrentPolicy){ + return ((ConcurrentPolicy)p).isConcurrent(); + } + return false; + } + + public PermissionGrant[] getPermissionGrants(ProtectionDomain domain) { + Policy p = getCurrentSubPolicy(); + if (p instanceof ConcurrentPolicy){ + return ((ConcurrentPolicy)p).getPermissionGrants(domain); + } + return new PermissionGrant[0]; + } + + public PermissionGrant[] getPermissionGrants() { + Policy p = getCurrentSubPolicy(); + if (p instanceof ConcurrentPolicy){ + return ((ConcurrentPolicy)p).getPermissionGrants(); + } + return new PermissionGrant[0]; + } /** * Changes sub-policy association with given class loader. If @@ -258,7 +283,7 @@ public class AggregatePolicyProvider if (sm != null) { sm.checkPermission(new SecurityPermission("setPolicy")); } - policyWrite.lock(); + lock.lock(); try { if (loader != null) { if (subPolicy != null) { @@ -273,8 +298,9 @@ public class AggregatePolicyProvider mainPolicy = subPolicy; } subPolicyChildClassLoaderCache.clear(); + subPolicyChildClassLoaderCache.putAll(subPolicies); } finally { - policyWrite.unlock(); + lock.unlock(); } } @@ -396,46 +422,39 @@ public class AggregatePolicyProvider */ private Policy getCurrentSubPolicy() { final Thread t = Thread.currentThread(); - if (!trustGetContextClassLoader(t)) { - policyRead.lock(); - try { - return mainPolicy; - }finally{ - policyRead.unlock(); - } - } - ClassLoader ccl = getContextClassLoader(); - Policy policy = subPolicies.get(ccl); - if (policy == null) policy = subPolicyChildClassLoaderCache.get(ccl); - if (policy == null) policy = lookupSubPolicy(ccl); - return policy; - + boolean trust = trustGetContextClassLoader(t); + ClassLoader ccl = trust ? getContextClassLoader() : null; + if ( ccl == null ) return mainPolicy; + Policy policy = subPolicyChildClassLoaderCache.get(ccl); // just a cache. + if ( policy != null ) return policy; + lock.lock(); + try { + policy = lookupSubPolicy(ccl); + return policy; + }finally{ + lock.unlock(); + } } /** * Returns sub-policy associated with the given class loader. This method - * should only be called when already synchronized on subPolicies. + * should only be called when already synchronized on lock. */ private Policy lookupSubPolicy(final ClassLoader ldr) { return AccessController.doPrivileged( new PrivilegedAction() { public Policy run() { Policy p = null; - policyRead.lock(); - try { - for (ClassLoader l = ldr; l != null; l = l.getParent()) { - p = subPolicies.get(l); - if (p != null) break; - } - if (p == null) p = mainPolicy; - Policy exists = - subPolicyChildClassLoaderCache.putIfAbsent(ldr, p); - if ( exists != null && p != exists ) - throw new IllegalStateException("Policy Mutation occured"); - return p; - }finally{ - policyRead.unlock(); + for (ClassLoader l = ldr; l != null; l = l.getParent()) { + p = subPolicies.get(l); + if (p != null) break; } + if (p == null) p = mainPolicy; + Policy exists = + subPolicyChildClassLoaderCache.putIfAbsent(ldr, p); + if ( exists != null && p != exists ) + throw new IllegalStateException("Policy Mutation occured"); + return p; } }); } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java Mon Jan 9 13:12:52 2012 @@ -30,6 +30,14 @@ import java.security.Policy; import java.security.Principal; import java.security.PrivilegedAction; import java.security.ProtectionDomain; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; +import net.jini.security.policy.ConcurrentPolicy; +import org.apache.river.api.security.PermissionGrant; +import org.apache.river.impl.util.RC; +import org.apache.river.impl.util.Ref; +import org.apache.river.impl.util.Referrer; /** * Security policy provider which handles permission queries and grants by @@ -51,17 +59,17 @@ import java.security.ProtectionDomain; public class LoaderSplitPolicyProvider extends Policy implements DynamicPolicy { - private static final ProtectionDomain myDomain = (ProtectionDomain) - AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - return LoaderSplitPolicyProvider.class.getProtectionDomain(); - } - }); + private static final ProtectionDomain myDomain = + AccessController.doPrivileged(new PrivilegedAction() { + public ProtectionDomain run() { + return LoaderSplitPolicyProvider.class.getProtectionDomain(); + } + }); private final ClassLoader loader; private final Policy loaderPolicy; private final Policy defaultPolicy; - private final WeakIdentityMap delegateMap = new WeakIdentityMap(); + private final ConcurrentMap delegateMap; /** * Creates a new LoaderSplitPolicyProvider instance which @@ -90,6 +98,9 @@ public class LoaderSplitPolicyProvider this.loader = loader; this.loaderPolicy = loaderPolicy; this.defaultPolicy = defaultPolicy; + delegateMap = RC.concurrentMap( + new ConcurrentHashMap,Referrer>() + ,Ref.WEAK_IDENTITY , Ref.STRONG); ensureDependenciesResolved(); } @@ -155,7 +166,7 @@ public class LoaderSplitPolicyProvider loaderPolicy.refresh(); defaultPolicy.refresh(); } - + /** * Returns true if both of the underlying policy providers * implement {@link DynamicPolicy} and return true from calls @@ -241,33 +252,28 @@ public class LoaderSplitPolicyProvider */ return loaderPolicy; } - Policy p; - synchronized (delegateMap) { - p = (Policy) delegateMap.get(ldr); - } + Policy p = delegateMap.get(ldr); if (p == null) { - p = (Policy) AccessController.doPrivileged(new PrivilegedAction() { - public Object run() { - for (ClassLoader l = ldr; l != null; l = l.getParent()) - { - if (l == loader) { - return loaderPolicy; - } - } - return defaultPolicy; - } - }); - synchronized (delegateMap) { - delegateMap.put(ldr, p); - } + p = AccessController.doPrivileged(new PrivilegedAction() { + public Policy run() { + for (ClassLoader l = ldr; l != null; l = l.getParent()) + { + if (l == loader) { + return loaderPolicy; + } + } + return defaultPolicy; + } + }); + delegateMap.putIfAbsent(ldr, p); } return p; } private static ClassLoader getClassLoader(final Class cl) { - return (ClassLoader) AccessController.doPrivileged( - new PrivilegedAction() { - public Object run() { return cl.getClassLoader(); } - }); + return AccessController.doPrivileged( + new PrivilegedAction() { + public ClassLoader run() { return cl.getClassLoader(); } + }); } } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java Mon Jan 9 13:12:52 2012 @@ -71,7 +71,7 @@ public final class SharedActivationPolic * target of the implies() checks. * @serial */ - private /*final*/ FilePermission policyPermission; + private final Permission policyPermission; /** * Constructor that creates a @@ -81,7 +81,7 @@ public final class SharedActivationPolic public SharedActivationPolicyPermission(String policy) { //TBD - check for null args super(policy); - init(policy); + policyPermission = init(policy); } /** @@ -94,13 +94,13 @@ public final class SharedActivationPolic public SharedActivationPolicyPermission(String policy, String action) { //TBD - check for null args super(policy); - init(policy); + policyPermission = init(policy); } /** * Contains common code to all constructors. */ - private void init(final String policy) { + private Permission init(final String policy) { /* * In order to leverage the FilePermission logic * we need to make sure that forward slashes ("/"), in @@ -110,6 +110,7 @@ public final class SharedActivationPolic * http://host:port/* matches http://host:port/bogus.jar under * UNIX, but not under Windows since "\*" is the wildcard there. */ + if (policy == null) throw new NullPointerException("Null policy string not allowed"); String uncanonicalPath = null; try { URL url = new URL(policy); @@ -123,7 +124,7 @@ public final class SharedActivationPolic uncanonicalPath = policy; } - policyPermission = new FilePermission(uncanonicalPath, "read"); + return new FilePermission(uncanonicalPath, "read"); } // javadoc inherited from superclass Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java Mon Jan 9 13:12:52 2012 @@ -44,6 +44,7 @@ import java.security.AccessControlExcept import java.security.AccessController; import java.security.CodeSource; import java.security.Permission; +import java.security.Policy; import java.security.Principal; import java.security.PrivilegedAction; import java.security.ProtectionDomain; @@ -910,7 +911,8 @@ public class BasicInvocationDispatcher i } } }); - if (System.getSecurityManager() == null) { + SecurityManager sm = System.getSecurityManager(); + if (sm == null) { return; } ProtectionDomain pd; @@ -934,6 +936,11 @@ public class BasicInvocationDispatcher i } boolean ok = pd.implies(permission); // XXX what about logging + if (logger.isLoggable(Level.FINE)){ + Policy p = Policy.getPolicy(); + logger.log(Level.FINE, "SecurityManager: " + sm + "\nPolicy: " + p + + "\nProtectionDomain: " + pd); + } if (!ok) { throw new AccessControlException("access denied " + permission); } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java Mon Jan 9 13:12:52 2012 @@ -34,6 +34,7 @@ import java.util.List; import java.util.Map; import java.util.NoSuchElementException; import java.util.Set; +import java.util.Vector; import java.util.concurrent.ConcurrentHashMap; @@ -102,7 +103,11 @@ implements Serializable { throw new SecurityException("attempt to add a Permission to a readonly Permissions object"); } if (allPermission == true) return; // Why bother adding another permission? - if (permission instanceof AllPermission) {allPermission = true;} + if (permission instanceof AllPermission) { + allPermission = true; + permsMap.clear(); + unresolved.clear(); + } if (permission instanceof UnresolvedPermission) { unresolved.add(new PermissionPendingResolution((UnresolvedPermission)permission)); } @@ -162,6 +167,11 @@ implements Serializable { */ @Override public Enumeration elements() { + if (allPermission == true){ + Vector a = new Vector(1); + a.add(0, new AllPermission()); + return a.elements(); + } ArrayList elem = new ArrayList(permsMap.size() + unresolved.awaitingResolution() + 2); @@ -214,8 +224,6 @@ implements Serializable { PermissionCollection pc = epc.next(); /* We only take what we need, as we need it, minimising memory use. * Each underlying PermissionCollection adds its own Enumeration. - * MultiReadPermissionCollection caches the elements so we - * are protected from ConcurrentModificationException's */ if ( pc instanceof PermissionPendingResolutionCollection ){ Set permissionSet = new HashSet(); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java Mon Jan 9 13:12:52 2012 @@ -31,6 +31,7 @@ import java.util.Collection; import java.util.Collections; import java.util.Comparator; import java.util.Enumeration; +import java.util.TreeSet; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import org.apache.river.impl.util.CollectionsConcurrent; @@ -38,7 +39,8 @@ import org.apache.river.impl.util.Collec /** * This homogenous PermissionCollection is designed to overcome some shortfalls with existing * PermissionCollection's that block for potentially long durations - * on implies(), like SocketPermissionCollection. + * on implies(), like SocketPermissionCollection, provided that there new + * Permission objects are not added, as this may cause delayed blocking. * * @author peter */ @@ -55,7 +57,8 @@ final class DynamicPermissionCollection private volatile boolean noPC; DynamicPermissionCollection(Comparator c, Class cl){ - perms = CollectionsConcurrent.multiReadCollection(new ArrayList()); + perms = CollectionsConcurrent.multiReadCollection( + new TreeSet(new PermissionComparator()) ); this.cl = cl; comp = c; lock = new ReentrantLock(); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java Mon Jan 9 13:12:52 2012 @@ -1,51 +1,149 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package net.jini.security; import java.io.Serializable; import java.security.Permission; +import java.security.UnresolvedPermission; +import java.security.cert.Certificate; +import java.util.Arrays; import java.util.Comparator; /** - * A Comparator for Set's of permissions that avoids using equals and hashCode() + * A Comparator for Permission that avoids using equals and hashCode() on + * Permission implementations. + * + * This comparator orders the Permission first by Class, then Name, followed + * by Actions. + * + * Class is sorted by class hashcode. + * + * Name is sorted using Unicode character order, so wildcards "*" and + * characters will preceed numbers, which will preceed letters. + * + * The comparator must be as fast as possible, the common case is not equal, + * so that must be very fast. + * + * Note that for SocketPermissionCollection that the desired order to add to + * SocketPermission's is in , with the most likely permissions added last. + * + * HINT: Use a NavigableMap to return a reverse order iterator for + * PermissionCollection's like SocketPermissionCollection and + * FilePermissionCollection. * * @author Peter Firmstone. */ public class PermissionComparator implements Comparator, Serializable { private static final long serialVersionUID = 1L; + private static final char wildcard = "*".charAt(0); public int compare(Permission o1, Permission o2) { if (o1 == o2) return 0; + + if ( o1 == null ){ + if (o2 == null) return 0; + return -1; // o1 is less + } + if ( o2 == null ) return 1; // o1 is greater + + int hash1, hash2, comparison; + // Permission not equal if Class hashCode not equal. Class c1 = o1.getClass(); - String name1 = o1.getName(); - String actions1 = o1.getActions(); Class c2 = o2.getClass(); - String name2 = o2.getName(); - String actions2 = o2.getActions(); - int hash1 = hashCode(c1, name1, actions1); - int hash2 = hashCode(c2, name2, actions2); + hash1 = c1.hashCode(); + hash2 = c2.hashCode(); if (hash1 < hash2) return -1; if (hash1 > hash2) return 1; - // Identical hash codes - int comp = -1; - if (c1.equals(c2) ){ - comp = name1.compareTo(name2); - if ( comp == 0 ) { - return actions1.compareTo(actions2); + //hashcodes equal. + if (o1 instanceof UnresolvedPermission && o2 instanceof UnresolvedPermission){ + // Special case + UnresolvedPermission u1 = (UnresolvedPermission) o1, u2 = (UnresolvedPermission) o2; + String type1 = u1.getUnresolvedType(), type2 = u2.getUnresolvedType(); + if ( type1 == null ){ + if (type2 == null) return 0; + return -1; // o1 is less + } + if ( type2 == null ) return 1; // o1 is greater + comparison = type1.compareTo(type2); + if ( comparison != 0 ) return comparison; + // types equal. + String name1 = u1.getUnresolvedName(), name2 = u2.getUnresolvedName(); + if ( name1 == null ){ + if (name2 == null) return 0; + return -1; // o1 is less + } + if ( name2 == null ) return 1; // o1 is greater + comparison = name1.compareTo(name2); + if ( comparison != 0 ) return comparison; + // names equal. + String action1 = u1.getUnresolvedName(), action2 = u2.getUnresolvedName(); + if ( action1 == null ){ + if (action2 == null) return 0; + return -1; // o1 is less + } + if ( action2 == null ) return 1; // o1 is greater + comparison = action1.compareTo(action2); + if ( comparison != 0 ) return comparison; + // actions equal. + Certificate[] cert1 = u1.getUnresolvedCerts(), cert2 = u2.getUnresolvedCerts(); + if ( cert1 == null ){ + if (cert2 == null) return 0; + return -1; // o1 is less } - return comp; + if ( cert2 == null ) return 1; // o1 is greater + int l1 = cert1.length, l2 = cert2.length; + if (l1 < l2 ) return -1; + if (l1 > l2 ) return 1; + // Same length cert arrays. + if (Arrays.asList(cert1).containsAll(Arrays.asList(cert2))) return 0; + // compare each until they don't match don't be fussy they're not equal + // but they're the same length. + for (int i = 0; i < l1; i++){ + int c = cert1[i].toString().compareTo(cert2[i].toString()); + if (c != 0) return c; + } + return -1; } - // If we get here, class is not equal. - comp = c1.toString().compareTo(c2.toString()); - if (comp == 0 ) return -1; // should never happen. - return comp; - } - - private int hashCode(Class cl, String name, String actions) { - int hash = 3; - hash = 67 * hash + cl.hashCode(); - hash = 67 * hash + name.hashCode(); - hash = 67 * hash + actions.hashCode(); - return hash; + String name1 = o1.getName(); + String name2 = o2.getName(); + if ( name1 == null ){ + if (name2 == null) return 0; + return -1; // o1 is less + } + if ( name2 == null ) return 1; // o1 is greater + comparison = name1.compareTo(name2); + if ( comparison != 0 ) return comparison; + // names equal. + String actions1 = o1.getActions(); + String actions2 = o2.getActions(); + if ( actions1 == null ){ + if (actions2 == null) return 0; + return -1; // o1 is less + } + if ( actions2 == null ) return 1; // o1 is greater + comparison = actions1.compareTo(actions2); + if ( comparison != 0 ) return comparison; + // actions equal. + // Now we must be careful that these Permission's are truly equal. + // Check they have same class + if ( c1.equals(c2)) return 0; + // if we get to here, someone might be trying to substitute + return -1; } } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java?rev=1229137&r1=1229136&r2=1229137&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java Mon Jan 9 13:12:52 2012 @@ -48,6 +48,11 @@ class PermissionPendingResolutionCollect public int awaitingResolution(){ return pending.get(); } + + void clear(){ + klasses.clear(); + pending.set(0); + } public void add(Permission permission) { Added: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java?rev=1229137&view=auto ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java (added) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java Mon Jan 9 13:12:52 2012 @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package net.jini.security.policy; + +import java.security.CodeSource; +import java.security.ProtectionDomain; +import org.apache.river.api.security.PermissionGrant; + +/** + * + * @author peter + */ +public interface ConcurrentPolicy { + + public boolean isConcurrent(); + + /** + * Returns a new array containing immutable PermissionGrant's, the array + * returned is not shared. + * + * Only those PermissionGrant's that imply the domain will be returned. + * + * This allows the top level policy to gather all PermissionGrant's, + * retrieve all relevant permissions, then sort them using PermissionComparator + * or any other Comparator, so Permission's are added to a PermissionCollection + * in the most efficient order. + * + * @param domain + * @return PermissionGrant [] + */ + public PermissionGrant[] getPermissionGrants(ProtectionDomain domain); + + /** + * Retrieves all PermissionGrant's from the underlying policy. + * @return + */ + public PermissionGrant[] getPermissionGrants(); +} Propchange: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java ------------------------------------------------------------------------------ svn:eol-style = native