river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Kleczek <michal.klec...@xpro.biz>
Subject Re: Towards Internet Jini Services (trust)
Date Mon, 11 Oct 2010 09:50:09 GMT
Looks like we don't need InstallModulePermission - DownloadPermission should 
be granted to services instead.

Attached is a version that I'm going to start testing - what I want to do is 
to run Reggie configured to use ModuleExporter and KerberosServerEndpoint.

That way the client will contact Reggie to verify the codebase.

Michal

On Monday 11 of October 2010 09:46:18 Michal Kleczek wrote:
> Of course we need something more since the client has
> InstallModulePermission it would suppress trust verification alltogether.
> The simple fix is to have two permissions and suppress trust verification
> only when we only have one of them. The client has both, so we are going
> to verify trust.
> 
> class InstallModulePermission extends BasicPermission {
> }
> 
> class SuppressInstallModulePermission extends BasicPermission {
> }
> 
> public class DelegatedModuleTrustVerifier implements TrustVerifier {
> 
>     private static final InstallModulePermission INSTALL_MODULE_PERMISSION
> = new InstallModulePermission();
>     private static final SuppressModuleTrustDelegationPermission
>       SUPPRESS_MODULE_TRUST_DELEGATION_PERMISSION =
>             new SuppressModuleTrustDelegationPermission();
> 
>     @Override
>     public boolean isTrustedObject(Object o, Context cntxt) {
>         if (o instanceof Module) {
>             try {
>                
> AccessController.checkPermission(SUPPRESS_MODULE_TRUST_DELEGATION_PERMISSI
> ON); return false;
>             }
>             catch (SecurityException suppressEx) {
>                 try {
>                    
> AccessController.checkPermission(INSTALL_MODULE_PERMISSION); return true;
>                 }
>                 catch (SecurityException installEx) {
>                     return false;
>                 }
>             }
>         }
> 
>         return false;
>     }
> 
> }
> 
> 
> Michal
> 
> On Monday 11 of October 2010 08:24:19 Michal Kleczek wrote:
> > On Monday 11 of October 2010 05:27:31 Peter Firmstone wrote:
> > > Michal Kleczek wrote:
> > > > Some more thoughts.
> > > > 
> > > > There is one scenario that is not covered here:
> > > > 
> > > > I get an service, verify the module that loads its class using a
> > > > ModuleAuthority that I trust. This service in turn downloads some
> > > > other objects that it verified. There is no way I can delegate trust
> > > > verification to the service - I must trust Modules (actually
> > > > ModuleAuthorities) of those subsequent objects.
> > > > 
> > > > 1. I have to have a way to allow or disallow module trust delegation
> > > > (looks like a case for dynamic permission grants)
> > > 
> > > Currently PreferredClassLoader uses DownloadPermission to prevent or
> > > allow a CodeSource class loading, because the CodeSource hasn't yet
> > > been loaded, we cannot dynamically grant DownloadPermission to a
> > > CodeSource, using DynamicPolicy.
> > 
> > Thanks for the hint.
> > I think Module trust delegation can be achieved in a really simple way:
> > 
> > class InstallModulePermission extends Permission {
> > }
> > 
> > //this TrustVerifier is installed locally on the client
> > //so that delegation of Module trust verification can be done
> > //by granting a service InstallModulePermission
> > 
> > public class InstallModulePermissionVerifier implements TrustVerifier {
> > 
> >   private static final InstallModulePermission PERM =
> >   
> >     new InstallModulePermission()
> >   
> >   public boolean isTrustedObject(Object o, Context ctx) {
> >   
> >     try {
> >     
> >       if (o instanceof Module) {
> >       
> >         AccessController.checkPermission(PERM);
> >         return true;
> >       
> >       }
> >       
> >       return false;
> >     
> >     }
> >     catch (SecurityException e) {
> >     
> >       return false;
> >     
> >     }
> >   
> >   }
> > 
> > }
> > 
> > What do you think?
> > 
> > Michal

Mime
View raw message