Return-Path: <dev-return-12208-archive-asf-public=cust-asf.ponee.io@river.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id B3ABF200C1B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 14 Feb 2017 13:14:03 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id B221F160B5F; Tue, 14 Feb 2017 12:14:03 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 05B08160B52
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 14 Feb 2017 13:14:02 +0100 (CET)
Received: (qmail 22121 invoked by uid 500); 14 Feb 2017 12:14:02 -0000
Mailing-List: contact dev-help@river.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@river.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@river.apache.org>
List-Post: <mailto:dev@river.apache.org>
List-Id: <dev.river.apache.org>
Reply-To: dev@river.apache.org
Delivered-To: mailing list dev@river.apache.org
Received: (qmail 22109 invoked by uid 99); 14 Feb 2017 12:14:01 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Feb 2017 12:14:01 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 216E3C0D33
	for <dev@river.apache.org>; Tue, 14 Feb 2017 12:14:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.879
X-Spam-Level: *
X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=kleczek.org
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id qEb_yfdT3s0q for <dev@river.apache.org>;
	Tue, 14 Feb 2017 12:13:56 +0000 (UTC)
Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 722CE5FAE6
	for <dev@river.apache.org>; Tue, 14 Feb 2017 12:13:56 +0000 (UTC)
Received: by mail-wm0-f43.google.com with SMTP id v77so15624932wmv.0
        for <dev@river.apache.org>; Tue, 14 Feb 2017 04:13:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kleczek.org; s=google;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to;
        bh=ReRYsbHpVwaJ3fgTATmoYcZnW+N/g+X4A6/sva/e3Sc=;
        b=OhjAID4DDjyj75jkX0OwAqPcIfFxdJHcS91v/kX3VkZf/EbCcz7I0gcCQLVISWrRJc
         ZHQ5GFU18sW4jKSzTe1PhHoOtTRW2TBeECLVFJIM/6BO2m60UmAmzI9rn+6DXQKtOpDL
         +MYYUl9S879iXti8GFsYY0Gvivn1Td8xEfKho=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:references:in-reply-to;
        bh=ReRYsbHpVwaJ3fgTATmoYcZnW+N/g+X4A6/sva/e3Sc=;
        b=OBWQOOrj7snaeglNbngy2RR3jEjNnYfiup/vEg9OUavqoRYnf+wU1NB7mXbR8BYbAW
         kAurIzs3D3/ajbthD2mRjRHR4A7NcGONtm3T2eS7VreoylbRRJ+fOojywEoBFw0wG/T3
         GV4OWCvk/GSbcm0tvSBaN26GsMG1PnU29UWmiGtyvCOr9xqvtxGADVw24FfI0QDX3DUJ
         tZt4/q2D8DR9V9/RhOcldGkBwNo32/WUYHqB8ESjlXSUFMnjqHYoQo1pVZs8cMbBN7Vg
         fCicMwa+QAUOsP6Rok1M3op0ffbZM8yvJhAm4rO0HuDPobFVHZnC3B3HU0bTgLId2aEV
         9RoQ==
X-Gm-Message-State: AMke39lxs9t6BJYxga+B/pVSN0hKEfl9teyt+lzyRvhoNusooSwF5FBEYd2zcWoUCG5YJQ==
X-Received: by 10.28.74.69 with SMTP id x66mr2875371wma.124.1487074428590;
        Tue, 14 Feb 2017 04:13:48 -0800 (PST)
Received: from [172.16.37.139] ([170.194.32.41])
        by smtp.googlemail.com with ESMTPSA id o143sm1076076wmd.3.2017.02.14.04.13.47
        for <dev@river.apache.org>
        (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 14 Feb 2017 04:13:47 -0800 (PST)
Message-ID: <58A2F47A.1050700@kleczek.org>
Date: Tue, 14 Feb 2017 12:13:46 +0000
From: =?UTF-8?B?TWljaGHFgiBLxYJlY3plaw==?= <michal@kleczek.org>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: dev@river.apache.org
Subject: Re: OSGi NP Complete Was: OSGi - deserialization remote invocation
 strategy
References: <247e9876a66e70de1f0998f7c890c0d4@org.tizen.email>
In-Reply-To: <247e9876a66e70de1f0998f7c890c0d4@org.tizen.email>
Content-Type: multipart/alternative;
 boundary="------------070901030501050101080902"
archived-at: Tue, 14 Feb 2017 12:14:03 -0000

--------------070901030501050101080902
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

It seems like I am missing the high level view on the architecture of 
your software.
Would it be possible for you to write one?

Peter wrote:
> There's a new constraint AtomicInputValidation that jeri uses to prevent standard serialization being used.
>
> Reggie has been granted DownloadPermission and DeserializationPermission but only for its own codebase.
I do not understand this.
How does the client know it is "Reggie" it is talking to?
How Reggie can grant itself permissions in the client environment???

Could you be more precise?
> Reggie has also been granted necessary permissions to communicate with its service.  No perms have been granted allowing Reggie to do anything else
>
> Reggie gives the client a dynamic proxy token (via SafeServiceRegistrar's lookup method).
What is this "token"? Is it a Java object implementing a well known 
interface? What interface is it?
>
> If your class is a client class you can give it the power to open network connections and do as you wish, but it's not a good idea to grant that power to Reggie.  But it's also worth remembering it's risky to deserialize into privileged context and you're going to have to do that in this case.
I do not understand this. I the SmartProxyWrapper there are no 
permissions granted to any downloaded code.
The code can be downloaded and classes defined only if the client 
imposed constraints are met.
>
> SafeServiceRegistrar will still allow you to use your wrapper class, it just adds an additional step of allowing you to authenticate that service before you deserialize your service wrapper, making it a little safer.
How???
By using the "token" you talk about earlier? But you have to verify the 
token to be secure, don't you?

So you delegate "token" authentication to Reggie, but that requires 
verification of Reggie proxy.
But how do you verify Reggie proxy?

Does Reggie also provide the "token"? If so - how is it authenticated? 
If not - how do you authenticate reggie?
You have to break the chain somewhere - and the shorter the trust chain 
the more secure system is.

>
> You can grant permissions to services only to the codebase certificate signers if you want.  Using the url in the permission grant just restricts it more, but it's not mandatory.
Fair enough.

The downside is that the permission check requires downloading the jar 
file and reading it to verify the code signers.

In my proposal the check is done even before actual code downloading.

Thanks,
Michal

--------------070901030501050101080902--