You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@river.apache.org by pe...@apache.org on 2011/12/24 12:38:28 UTC
svn commit: r1222962 - in /river/jtsk/skunk/peterConcurrentPolicy:
qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/
qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/
qa/src/com/sun/jini/test/spec/security/basicproxypreparer/ ...
Author: peter_firmstone
Date: Sat Dec 24 11:38:28 2011
New Revision: 1222962
URL: http://svn.apache.org/viewvc?rev=1222962&view=rev
Log:
River-323 URIGrant replaces CodeSourceGrant functionality to avoid DNS lookup.
Modified:
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td Sat Dec 24 11:38:28 2011
@@ -8,3 +8,6 @@ getContextJarFile=<file:lib/qa1-start-cb
restoreContextJarFile=<file:lib/qa1-start-cb2.jar>
checkContextActionJarFile=<file:lib/qa1-start-cb3.jar>
include0=../start.properties
+#testjvmargs=-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
\ No newline at end of file
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td Sat Dec 24 11:38:28 2011
@@ -7,3 +7,6 @@ FILEPOLICY01=<url: policyProviderGrant01
FILEPOLICY02=<url: policyProviderGrant02.policy>
FILEPOLICYUMBRELLA=<url: policyProviderUmbrellaGrant.policy>
com.sun.jini.qa.harness.securityproperties=<url: ../securityprovider.properties>
+#testjvmargs=-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td Sat Dec 24 11:38:28 2011
@@ -4,4 +4,6 @@ com.sun.jini.qa.harness.runactivation=fa
com.sun.jini.qa.harness.runjiniserver=false
com.sun.jini.qa.harness.runkitserver=false
com.sun.jini.qa.harness.shared=false
-
+#testjvmargs=-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
\ No newline at end of file
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java Sat Dec 24 11:38:28 2011
@@ -466,7 +466,11 @@ final class Target {
}
}), securityContext.getAccessControlContext());
} catch (PrivilegedActionException e) {
- throw (IOException) e.getException();
+ Exception ex = e.getException();
+ if ( ex instanceof IOException ) throw (IOException) ex;
+ if ( ex instanceof InterruptedException ) {
+ Thread.currentThread().interrupt();
+ }
} finally {
if (ccl != savedCcl || savedCcl != t.getContextClassLoader()) {
t.setContextClassLoader(savedCcl);
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java Sat Dec 24 11:38:28 2011
@@ -5,14 +5,44 @@ import java.security.Permission;
import java.util.Comparator;
/**
- *
- * @author peter
+ * A Comparator for Set's of permissions that avoids using equals and hashCode()
+ *
+ * @author Peter Firmstone.
*/
public class PermissionComparator implements Comparator<Permission> {
- @Override
public int compare(Permission o1, Permission o2) {
- throw new UnsupportedOperationException("Not supported yet.");
+ Class c1 = o1.getClass();
+ String name1 = o1.getName();
+ String actions1 = o1.getActions();
+ Class c2 = o2.getClass();
+ String name2 = o2.getName();
+ String actions2 = o2.getActions();
+ int hash1 = hashCode(c1, name1, actions1);
+ int hash2 = hashCode(c2, name2, actions2);
+ if (hash1 < hash2) return -1;
+ if (hash1 > hash2) return 1;
+ // Identical hash codes
+ int comp = -1;
+ if (c1.equals(c2) ){
+ comp = name1.compareTo(name2);
+ if ( comp == 0 ) {
+ return actions1.compareTo(actions2);
+ }
+ return comp;
+ }
+ // If we get here, class is not equal.
+ comp = c1.toString().compareTo(c2.toString());
+ if (comp == 0 ) return -1; // should never happen.
+ return comp;
}
-
+
+ private int hashCode(Class cl, String name, String actions) {
+ int hash = 3;
+ hash = 67 * hash + cl.hashCode();
+ hash = 67 * hash + name.hashCode();
+ hash = 67 * hash + actions.hashCode();
+ return hash;
+ }
+
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java Sat Dec 24 11:38:28 2011
@@ -289,7 +289,10 @@ public class ConcurrentPolicyFile extend
Collection<Permission> c = ge.getPermissions();
Iterator<Permission> i = c.iterator();
while (i.hasNext()){
- perms.add(i.next());
+ Permission p = i.next();
+ perms.add(p);
+ // Don't stuff around finish early if you can.
+ if (p instanceof AllPermission) return perms;
}
}
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java Sat Dec 24 11:38:28 2011
@@ -28,10 +28,12 @@ import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
+import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
@@ -43,6 +45,7 @@ import java.util.concurrent.Future;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.logging.Level;
import java.util.logging.Logger;
+import net.jini.security.PermissionComparator;
import org.apache.river.api.delegates.DelegatePermission;
import org.apache.river.impl.util.CollectionsConcurrent;
import org.apache.river.impl.util.RC;
@@ -66,6 +69,7 @@ extends SecurityManager implements Deleg
private final Guard g;
private final Action action;
private final ExecutorService executor;
+ private final Comparator<Referrer<Permission>> permCompare;
public DelegateCombinerSecurityManager(){
super();
@@ -84,7 +88,11 @@ extends SecurityManager implements Deleg
double blocking_coefficient = 0.8; // 0 CPU intensive to 0.9 IO intensive
int numberOfCores = Runtime.getRuntime().availableProcessors();
int poolSize = (int) (numberOfCores / ( 1 - blocking_coefficient));
+ // If we decide to stay with an ExecutorService, we need to have a zero
+ // length SynchronousQueue and an Executor that hands the task to the calling
+ // thread if no pool threads are available.
executor = Executors.newFixedThreadPool(poolSize);
+ permCompare = RC.comparator(new PermissionComparator());
}
@Override
@@ -96,7 +104,7 @@ extends SecurityManager implements Deleg
Set<Permission> checkedPerms = checked.get(executionContext);
if (checkedPerms == null){
Set<Referrer<Permission>> internal =
- CollectionsConcurrent.multiReadSet(new HashSet<Referrer<Permission>>(96));
+ CollectionsConcurrent.multiReadSet(new TreeSet<Referrer<Permission>>(permCompare));
checkedPerms = RC.set(internal, Ref.SOFT);
Set<Permission> existed = checked.putIfAbsent(executionContext, checkedPerms);
if (existed != null) checkedPerms = existed;
@@ -132,9 +140,10 @@ extends SecurityManager implements Deleg
}
// Normal execution, same as SecurityManager.
executionContext.checkPermission(perm);
+ /* It's ok to cache SocketPermission if we use a comparator */
// If we get to here, no exceptions were thrown, we have permission.
// Don't cache SocketPermission.
- if (perm instanceof SocketPermission) return;
+ // if (perm instanceof SocketPermission) return;
checkedPerms.add(perm);
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java Sat Dec 24 11:38:28 2011
@@ -109,8 +109,8 @@ class PermissionGrantBuilderImp extends
if (context < 0) {
throw new IllegalStateException("context must be >= 0");
}
- if (context > 4) {
- throw new IllegalStateException("context must be <= 4");
+ if (context > 5) {
+ throw new IllegalStateException("context must be <= 5");
}
this.context = context;
return this;
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java Sat Dec 24 11:38:28 2011
@@ -31,6 +31,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
+import java.util.logging.Level;
+import java.util.logging.Logger;
/**
*
@@ -108,14 +110,23 @@ class URIGrant extends CertificateGrant
// sun.security.provider.PolicyFile compatibility for null CodeSource is false.
// see com.sun.jini.test.spec.policyprovider.dynamicPolicyProvider.GrantPrincipal test.
if (codeSource == null) return false;
+ URL url = codeSource.getLocation();
+ if (url == null) return false;
if (location.isEmpty()) return true;
int l = location.size();
URI[] uris = location.toArray(new URI[l]);
for (int i = 0; i<l ; i++ ){
if (uris[i] == null) return true;
}
+ URI implied = null;
+ try {
+ implied = url.toURI();
+ } catch (URISyntaxException ex) {
+ ex.printStackTrace(System.err);
+ return false;
+ }
for (int i = 0; i<l ; i++){
- if (implies(uris[i], codeSource)) return true;
+ if (implies(uris[i], implied)) return true;
}
return false;
}
@@ -185,7 +196,7 @@ class URIGrant extends CertificateGrant
* @return {@code true} if the argument code source is implied by this
* {@code CodeSource}, otherwise {@code false}.
*/
- private static boolean implies(URI location, CodeSource cs) {
+ private static boolean implies(URI grant, URI implied) {
//
// Here, javadoc:N refers to the appropriate item in the API spec for
// the CodeSource.implies()
@@ -213,31 +224,31 @@ class URIGrant extends CertificateGrant
// }
// javadoc:3
- if (location != null) {
+ if (grant != null) {
//javadoc:3.1
- URL otherURL = cs.getLocation();
- if ( otherURL == null) {
- return false;
- }
- URI otherURI;
- try {
- otherURI = otherURL.toURI();
- } catch (URISyntaxException ex) {
- return false;
- }
+// URL otherURL = cs.getLocation();
+// if ( otherURL == null) {
+// return false;
+// }
+// URI otherURI;
+// try {
+// otherURI = otherURL.toURI();
+// } catch (URISyntaxException ex) {
+// return false;
+// }
//javadoc:3.2
- if (location.equals(otherURI)) {
+ if (grant.equals(implied)) {
return true;
}
//javadoc:3.3
- if (!location.getSchemeSpecificPart().equals(otherURI.getSchemeSpecificPart())) {
+ if (!grant.getScheme().equals(implied.getScheme())) {
return false;
}
//javadoc:3.4
- String thisHost = location.getHost();
+ String thisHost = grant.getHost();
if (thisHost != null) {
- String thatHost = otherURI.getHost();
+ String thatHost = implied.getHost();
if (thatHost == null) {
return false;
}
@@ -332,16 +343,17 @@ class URIGrant extends CertificateGrant
} // if (this.location.getHost() != null)
//javadoc:3.5
- if (location.getPort() != -1) {
- if (location.getPort() != otherURI.getPort()) {
+ if (grant.getPort() != -1) {
+ if (grant.getPort() != implied.getPort()) {
return false;
}
}
//javadoc:3.6
- // for compatbility with URL.getFile, the Query is concatenated to the path.
- String thisFile = location.getPath() + location.getQuery();
- String thatFile = otherURI.getPath() + otherURI.getQuery();
+ // compatbility with URL.getFile
+ String thisFile = grant.getPath();
+ String thatFile = implied.getPath();
+ if (thatFile == null) return false;
if (thisFile.endsWith("/-")) { //javadoc:3.6."/-" //$NON-NLS-1$
if (!thatFile.startsWith(thisFile.substring(0, thisFile
@@ -372,8 +384,8 @@ class URIGrant extends CertificateGrant
//javadoc:3.7
// A URL Anchor is a URI Fragment.
- if (location.getFragment() != null) {
- if (!location.getFragment().equals(otherURI.getFragment())) {
+ if (grant.getFragment() != null) {
+ if (!grant.getFragment().equals(implied.getFragment())) {
return false;
}
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java?rev=1222962&r1=1222961&r2=1222962&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java Sat Dec 24 11:38:28 2011
@@ -27,6 +27,7 @@ import java.io.File;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
+import java.net.URI;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -196,8 +197,8 @@ public class DefaultPolicyParser impleme
* ANSWER: No we just make a CodeSourceSetGrant, that contains multiple
* CodeSource.
*/
- URL codebase = null;
- List<URL> codebases = new ArrayList<URL>();
+ URI codebase = null;
+ List<URI> codebases = new ArrayList<URI>(8);
Certificate[] signers = null;
Set<Principal> principals = new HashSet<Principal>();
Set<Permission> permissions = new HashSet<Permission>();
@@ -208,13 +209,13 @@ public class DefaultPolicyParser impleme
Collection<String> cbstr = expandURLs(cb, system);
Iterator<String> it = cbstr.iterator();
while (it.hasNext()){
- codebases.add(new URL(it.next()));
+ codebases.add(new URI(it.next()));
}
} catch (ExpansionFailedException e) {
- codebase = new URL(cb);
+ codebases.add(new URI(cb));
}
} else {
- codebase = new URL(cb);
+ codebases.add(new URI(cb));
}
}
if ( ge.getSigners() != null) {
@@ -252,21 +253,15 @@ public class DefaultPolicyParser impleme
}
}
PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder();
- if ( codebase != null ) {
- pgb.codeSource(new CodeSource(codebase, signers));
- } else if (codebases.size() == 1) {
- pgb.codeSource(new CodeSource(codebases.get(0), signers));
- } else if (codebases.size() > 1 ){
- pgb.multipleCodeSources();
- Iterator<URL> iter = codebases.iterator();
- while (iter.hasNext()){
- pgb.codeSource(new CodeSource(iter.next(), signers));
- }
+ Iterator<URI> iter = codebases.iterator();
+ while (iter.hasNext()){
+ pgb.uri(iter.next());
}
return pgb
+ .certificates(signers)
.principals(principals.toArray(new Principal[principals.size()]))
.permissions(permissions.toArray(new Permission[permissions.size()]))
- .context(PermissionGrantBuilder.CODESOURCE)
+ .context(PermissionGrantBuilder.URI)
.build();
}