river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Kleczek <michal.klec...@xpro.biz>
Subject Re: Towards Internet Jini Services (trust)
Date Mon, 11 Oct 2010 14:17:43 GMT
On Monday 11 of October 2010 15:41:46 Peter Firmstone wrote:
> What about the case where a Module depends on another Module?
> I'm guessing that was the intent.

Actually - no :)

There are two different things to consider:

1. Module dependencies (which I actually did not think about too much).

2. The client gets a proxy and this proxy code causes downloading objects 
annotated with a different Module than the proxy's Module (IOW downloading 
subsequent Modules happens _after_ the proxy was deserialized, prepared and 
granted permissions). We need a way to say:
"OK I've downloaded some code, an object, verified that I trust both the code 
and this object - now I don't really care how it is implemented - I trust that 
if it needs to download some more code - it already was verified)."

That is something that can be achieved with DelegatedModuleTrustVerifier - the 
client can grant DownloadPermission to the proxy it just deserialized and 
prepared. Note that it is not transitive - the client has to grant a 
GrantPermission(new DownloadPermission()) to the proxy if it wants the 
DownloadPermission to be transfered further.

All is good so far except that the proxy must postpone deserialization of 
subsequent objects so that it happens after the client had a chance to grant 
permissions to the proxy.
With my proposal nothing really changes in a way the client handles objects 
that it receives - permissions are granted to the proxy in exactly the same 
way as it is done in Jini 2.1.

So unfortunatelly if we have a proxy:
class MyProxy implements Serializable {
  private JavaSpace space;
it would have to be changed to:
class MyProxy implements Serializable {
  private MarshalledObject<JavaSpace> marshalledSpace;
if the service wants to make use of DownloadPermission that was possibly 
granted to it by the client.

Sure - it would be cool if we could grant permissions earlier (as soon as a 
Module is verified and the ClassLoader is created) but I just don't know how 
the client would pass the permissions it wants to grant to a Module to the low 
level deserialization code.


View raw message