river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Oliver <fkoli...@gmail.com>
Subject Re: Learnings from a RevokeableDynamicPolicy & A Future Roadmap
Date Sun, 15 Aug 2010 19:37:38 GMT
Why not have
instead of the begin/check/end block? Would this remove the Thread
object from those maps?

What if a delegate requires multiple permissions of different classes
from multiple ECMs? Should this be done at the RevokeableDynamicPolicy
level instead? Should the ECM be hidden from the public API?

I was looking at writing a SocketDelegate and I' m not clear on some things.

- How do I get a reference to the system RevokableDynamicPolicy object?

- Once I have it, how do I check for actual permission to do
something? Is there a utility to iterate through the list of
PermissionGrants? Or some other method?

- If we have class based ECM (which seems simpler), then should
Class<? extends Permission> appear in many places where Permission
currently appears?  e.g.

    RevokableDynamicPolicy.getExecutionManager(Class<? extends Permission>);
    Controller.revoke(Set<Class<? extends Permission>> classes);
    Controller.getPermission() returns Class<? extends Permission>
    Controller.getECManager(Class<? extends Permission>);
    Controller.pool uses Class<? extends Permission> as key?

In Controller, do the pool and cont fields need to be separate? If the
weak references get cleared at different times, then these two
structures can briefly diverge. Is this OK?

Do you still have ECM.addAction()?   The ECM.addAction() takes a
Runnable, which gets the job done. I'm concerned that this requires
that delegates implement Runnable, in conflict with some other use of
Runnable. Perhaps it's worth adding an interface for this like
RevocationListener with a permissionRevoked() method.

Most of the methods in the delegates get called from the untrusted
code, but the run() method does not.

- When the run() method is called (on which thread?), how does it
determine which codebase or principal (etc.) to use when checking
permissions? How does a socket delegate know to close a socket?


View raw message