Mailing-List: contact river-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: river-dev@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of fkoliver@gmail.com designates
 209.85.215.47 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=dkbtO1/RGt6VDv1/UUKVf9Re07fZUjz/ibwt5KtSfNcoSUe5LIeSAJ0NuylEE7hiOh
         B6MhdS/evLJUtV93taHRpJMMFxx3+FgfTyCvIgf1yNXL7V29NlRXJPQCu56BJO2uiIyz
         lpIpm/NTuTnCHJZN347V0T9JqS8K/rVXk6lhs=
MIME-Version: 1.0
In-Reply-To: <4C6F03E9.6010304@zeus.net.au>
References: <4C6E7239.9020306@zeus.net.au>
	<AANLkTimYKVPnOY0hAMmYs8DacVH5T=dueZspvuiWsws8@mail.gmail.com>
	<4C6F03E9.6010304@zeus.net.au>
Date: Sun, 22 Aug 2010 17:55:37 -0400
Message-ID: <AANLkTiksmnQo54O+7ZUusgQs9JK4GabVhcJMjg2oTD__@mail.gmail.com>
Subject: Re: Does this look ok?
From: Fred Oliver <fkoliver@gmail.com>
To: Peter Firmstone <jini@zeus.net.au>, river-dev@incubator.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 20, 2010 at 6:38 PM, Peter Firmstone <jini@zeus.net.au> wrote:

I haven't had time to look over the code...

What does recycling the classloader mean? There is already a
classloader cache for codebases, so that a multiple references to the
same codebase will give the same classloader.

Beyond that, could you say more about reliance on grants to codebases
(as opposed to subjects) being the important part?

Let's say you have a service S in a VM which is the place where you
are concerned about permission revocation. Now add a client A which
calls a method in S, passing in a smart proxy located with a URL
served by A. At this point, you wish to allow or disallow certain
actions by the smart proxy running in S?

What if client B attempts the same operation with a smart proxy served
by B? Are you concerned about granting different permissions to the
proxies from A and B?

What if client B attempts the same operation with a smart proxy served
by A? (B makes the call specifying A's codebase.)

What if a hostile smart proxy from B loads the smart proxy from A and
manipulates it in S?

Fred


> Fred Oliver wrote:
>>
>> Peter,
>>
>> I'll try to take look over the weekend.
>>
>> In general, I am concerned that the implementation is driving the
>> security model when it should be the other way around.
>>
>>
>
> Yes that has happened, as my understanding of the platform improves durin=
g
> implementation. =A0I also realised during implementation, that revocation=
 was
> not the Delegate's concern, in spite of the fact that for proper Revocati=
on,
> delegates must be utilised.
>
> However what I really want is a simple way to add and remove some
> Permission's from the policy and to ensure that when they have been remov=
ed,
> no protected references have escaped.
>
>> Part of my concern is that I don't understand the application. Could
>> you explain more about why permissions would be revoked in your
>> application?
>>
>
> Two uses:
>
> The first is to allow ClassLoader recycling, for multiple smart proxy bas=
ed
> services (one at a time), with identical CodeSource's.
>
> The second, is enabling limited trust for Java Smart Proxy's from unknown
> untrusted Services.
>
> Providing some basic Permission's to enable the Smart proxy to access:
>
> =A01. Network
> =A02. Sound
> =A03. Microphone
> =A04. WebCam
> =A05. GPS.
>
> vi a ServiceUI, or other services.
>
> If the client has any remaining objects from the untrusted Service, to
> prevent remnant objects's from continuing to utilise the Permission's for
> ongoing communication after the Service has been discarded.
>
>> =A0- What resources does your application need to give and then revoke
>> permissions for?
>>
>
> See above.
>
>> =A0- To whom (principal, codebase, etc.) are permissions given and taken
>> away?
>>
>
> Definitely CodeSources.
>
>> =A0- Are resources shared between multiple principals, codebases, etc.?
>>
>
> The network will be. =A0The codebases may be common, for services, but
> generally not shared at the same time, although it is possible if permiss=
ion
> grant's are delayed until all services sharing a codebase have verified
> their proxy's. =A0If a ClassLoader is recycled, the client and new Servic=
e
> will need to verify the new proxy, before any permission's are granted.
>
>> I think it would be much easier to restrict the problem scope if you
>> only needed to associate principals with resources, if that were the
>> case.
>>
>
> Like using a guest account for services? =A0Using a DomainCombiner to inj=
ect
> principals.
>
> Cheers,
>
> Peter.
>
>> Fred
>>
>>
>
>