river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Kleczek <michal.klec...@xpro.biz>
Subject Re: Towards Internet Jini Services (trust)
Date Fri, 08 Oct 2010 12:07:03 GMT
On Friday 08 of October 2010 13:54:06 Sim IJskes - QCG wrote:
> On 10/08/2010 01:09 PM, Michal Kleczek wrote:
> > On Friday 08 of October 2010 13:02:17 Sim IJskes - QCG wrote:
> >> On 10/07/2010 09:57 PM, Michal Kleczek wrote:
> >>> So...
> >>> I've spent a day on some thinking and prototyping and hopefully I got
> >>> an idea. Here is an outline:
> >> 
> >>> 1. We annotate classes with an object implementing Module interface:
> >> Is it safe to say that you are basically enhancing the codebase
> >> annotation pattern?
> > 
> > Basically - yes.
> > Although I am not sure I understand precisely your question... :)
> You understood correctly. :-) (i should have said, construct, well ok).
> I noticed the readAnnotation of MarshallInputStream reads an Object and
> then casts it to a String. Are we sure that this is not a possible
> vector for a deserialization attack? 

Looks like it is in current River.

> Personally i would have taken a
> UTF-8 String (with limited length), but if you only unmarshall Objects
> from TLS connections, that you check first, i guess its ok.

Right - in this solution we do not download any code before verifying we trust 
the object (Module) that is going to download the code. In the basic scenario 
we just contact the origin service and verify that the codebase string we got 
is the right one.
One can imaging other ModuleAuthority implementations - for example requiring 
that the codebase is digitally signed.

> So your solution is allowing for different credentials between the TLS
> and the code source, and checking these credentials.
> Is this package pluggable onto river without modifications in river?

I wouldn't call it "a package" :) At least not yet...

I think it can be made pluggable - I still have to resolve issues with 
associating Modules with ClassLoaders - it would be soooo much easier to have 
RmiClassLoder return Object from getClassAnnotation() and modify 
ClassAnnotation to return a Module instead of String from getAnnotation().


View raw message