river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michał Kłeczek <mic...@kleczek.org>
Subject Re: OSGi NP Complete Was: OSGi - deserialization remote invocation strategy
Date Tue, 14 Feb 2017 13:03:15 GMT
Let me dig some deeper. Comments inline.

Peter wrote:
> Yes the dynamic proxy's are 100% local code.  Remember dynamic proxy's don't have codebase
s. :)
Of course they do - look at PreferredClassProvider - the dynamic proxy 
class is defined by the codebase loader!

Being a dynamic proxy does not mean there is no codebase.
>
> AtomicMarshalInputStream performs a special input validation on java.lang.reflect.Proxy
thus ensuring the InvocationHandler is also trusted.  If the InvocationHandler doesn't pass
the test the proxy's never created.
Why does it only verify dynamic proxies? Doesn't it verify normal objects?
>
> The dynamic proxy's put you in direct contact with the service provider using only local
code with input validation constrained over secure connections (as configured with constraints
in force).
>
> I think I've given you enough info now to investigate further.
Ok - so your "token" is the same thing as my SmartProxyWrapper. Let's 
call it a "bootstrap proxy", ok?

1. What interface this bootstrap proxy implements?
2. Why do you think it has to be a dynamic proxy (ie. an instance of a 
subclass of java.lang.Proxy)?
3. What and when are DownloadPermissions required? How do they add to 
the overall security?
I understand the security of service proxies is enforced by the 
constraints placed on the bootstrap proxy.
So where is the place for DownloadPermissions?

4. Finally - how is the lookup service proxy verified? Does it also 
provide the bootstrap proxy?
If so - what special role does it play in the architecture?
The bootstrap proxy does not have to be provided by the lookup service, 
does it?

If it is verified differently - why and how?

Thanks,
Michal

Mime
View raw message