From dev-return-12406-archive-asf-public=cust-asf.ponee.io@river.apache.org Sun Apr 22 10:06:19 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 95238180625 for ; Sun, 22 Apr 2018 10:06:18 +0200 (CEST) Received: (qmail 41190 invoked by uid 500); 22 Apr 2018 08:06:17 -0000 Mailing-List: contact dev-help@river.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@river.apache.org Delivered-To: mailing list dev@river.apache.org Received: (qmail 41174 invoked by uid 99); 22 Apr 2018 08:06:16 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 22 Apr 2018 08:06:16 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id E5D47C00D5 for ; Sun, 22 Apr 2018 08:06:15 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=zeus.net.au Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id qyFMSdHEAJHY for ; Sun, 22 Apr 2018 08:06:13 +0000 (UTC) Received: from server-47-r23.ipv4.au.syrahost.com (server-47-r23.ipv4.au.syrahost.com [27.123.26.151]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 8B9A35F2F1 for ; Sun, 22 Apr 2018 08:06:12 +0000 (UTC) Received: from server-2d-r4.ipv4.au.syrahost.com (unknown [103.250.215.85]) by halon-out01.au.ds.network (Halon) with ESMTPS id fdd5f032-4603-11e8-83e1-f8db88ea9a09; Sun, 22 Apr 2018 08:05:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zeus.net.au ; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version :From:Date:Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lfJxroUHe8iUHGK9C8fmuA8eNWRllfm3fZ+DZ7wUqN8=; b=s8WGKK/ajZLdBkbw5zhoJG3iv6 oJDDLVO9h1N+NdwB7XYSP3VjewVWQ2wBPpBCmOPt1Cy2KtB7sSSWx9Q0n8jvKQxaTDJ8XMi7nrX2v pz2VU3/5qZncsZrqllFP1m2Nz5Eg0wACYlAwOXev+9L+vyFFpzubAt6FdoOmBg32Vw+U=; Received: from 2001-44b8-214e-d700-04cd-e861-14b3-2b51.static.ipv6.internode.on.net ([2001:44b8:214e:d700:4cd:e861:14b3:2b51]:2691) by webcloud66.au.syrahost.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89_1) (envelope-from ) id 1fAA0P-004GRx-1g for dev@river.apache.org; Sun, 22 Apr 2018 16:05:58 +0800 Message-ID: <5ADC425F.3060104@zeus.net.au> Date: Sun, 22 Apr 2018 18:05:51 +1000 From: Peter User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20 MIME-Version: 1.0 To: "" Subject: A little more background on AtomicILFactory Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - webcloud66.au.syrahost.com X-AntiAbuse: Original Domain - river.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - zeus.net.au X-Get-Message-Sender-Via: webcloud66.au.syrahost.com: authenticated_id: jini@zeus.net.au X-Authenticated-Sender: webcloud66.au.syrahost.com: jini@zeus.net.au X-Source: X-Source-Args: X-Source-Dir: JERI is of course extensible, there are a number of layers: 1. Invocation Layer. 2. Object identification layer 3. Transport layer. All proxy's that use JERI contain a java.lang.reflect.Proxy instance that uses an InvocationHandler from an invocation layer factory. Currently we have BasicILFactory, this uses standard java serialization and Marshal streams from the net.jini.io package, which annotate streams with codebase annotations. The invocation layer provided by BasicILFactory allows you to download any class from anywhere. Serialization was considered secure, at the time when it was written. To be fair, serialization should have been maintained secure. In this model, after you deserialized a proxy into its downloaded code, then you ask the remote end to check it, and then you apply constraints. The problem today is serialization is not secure, and we can use a secure transport layer, however a proxy can download another proxy that doesn't use a secure transport layer and the constraints won't be applied to it. For example, Reggie provides a lookup service, you can apply contraints against it, but it can still download proxy's from other services and the constraints aren't applied to those. Enter AtomicILFactory, it utilises codebase annotations still, but in a limited form. Instead of using codebase annotations for every class, each endpoint is assigned a default ClassLoader that determines class visibility and resolution. The service's server endpoint is assigned a ClassLoader by AtomicILFactory, but how is its proxy ClassLoader determined you ask? Ok, so we need to go back one step, proxy's are marshalled independently of the stream, this means, unlike BasicILFactory, Reggie cannot download proxy's from other services, because their proxy classes won't be available via the default ClassLoader. Instead, proxy's are marshalled by a ProxySerializer, that contains a MarshalledInstance and a CodebaseAccessor bootstrap proxy, which only utilises local classes. There's a new provider net.jini.loader.ProxyCodebaseSpi, which the ProxySerializer passes the MarshalledInstance and CodebaseAccess to as arguments. The bootstrap proxy is used for authentication and codebase provisioning, the provisioned ClassLoader is then used by the MarshalledInstance to deserialize the proxy. So this is how the ClassLoader is established for the proxy. Now I was applying constraints to the proxy before it returns, but this breaks a number of InvocationHandlers, that are expecting a proxy without constraints, so for now, constraints are only applied to the bootstrap proxy. There are two ProxyCodebaseSpi implementations, one for preferred classes, the other for OSGi. Note the parent ClassLoader is the loader of the stream that deserialized the proxy in it's marshalled form, at least for preferred class loading, but not for OSGi. The reason is, a service proxy may already contain proxy's for other services, which it utilises privately, so it needs to be able to control the visibility of classes using preferred class loading, the interfaces shared by the service proxy and other proxy's it contains This gives the client total control over who can download classes and enforce constraints before deserialization occurs. I haven't made this code publicly available yet. Regards, Peter.