You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by mb...@apache.org on 2013/08/20 02:30:53 UTC
svn commit: r1515678 - in
/commons/sandbox/weaver/trunk/modules/privilizer/src: ./ site/
site/markdown/ site/markdown/index.md
Author: mbenson
Date: Tue Aug 20 00:30:52 2013
New Revision: 1515678
URL: http://svn.apache.org/r1515678
Log:
document privilizer
Added:
commons/sandbox/weaver/trunk/modules/privilizer/src/
commons/sandbox/weaver/trunk/modules/privilizer/src/site/
commons/sandbox/weaver/trunk/modules/privilizer/src/site/markdown/
commons/sandbox/weaver/trunk/modules/privilizer/src/site/markdown/index.md
Added: commons/sandbox/weaver/trunk/modules/privilizer/src/site/markdown/index.md
URL: http://svn.apache.org/viewvc/commons/sandbox/weaver/trunk/modules/privilizer/src/site/markdown/index.md?rev=1515678&view=auto
==============================================================================
--- commons/sandbox/weaver/trunk/modules/privilizer/src/site/markdown/index.md (added)
+++ commons/sandbox/weaver/trunk/modules/privilizer/src/site/markdown/index.md Tue Aug 20 00:30:52 2013
@@ -0,0 +1,96 @@
+## Apache Commons Weaver Privilizer
+
+Provides machinery to automate the handling of Java Security access
+controls in code. This involves wrapping calls that may trigger
+`java.lang.SecurityException`s in `PrivilegedAction` objects.
+Unfortunately this is quite an expensive operation and slows code
+down considerably; when executed in an environment that has no
+`SecurityManager` activated it is an utter waste.
+The typical pattern to cope with this is:
+
+```java
+if (System.getSecurityManager() != null) {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ doSomethingThatRequiresPermissions();
+ return null;
+ }
+ });
+} else {
+ doSomethingThatRequiresPermissions();
+}
+```
+
+This becomes tedious in short order. The immediate response of a
+typical developer: relegate the repetitive code to a set of
+utility methods. In the case of Java security, however, this
+approach is considered risky. The purpose of the Privilizer, then,
+is to instrument compiled methods originally annotated with our
+`@Privileged` annotation. This annotation is retained in the
+classfiles, but not available at runtime, and there are no runtime
+dependencies.
+
+### Basic Privilization
+
+```java
+
+@Privileged
+private void doSomethingThatRequiresPermissions() {
+ ...
+}
+```
+
+Annotating a method with the [@Privileged][privileged] annotation will cause
+the [PrivilizerWeaver][privilizerWeaver] to generate these checks automatically,
+leaving you to simply implement the code!
+
+### Blueprint Privilization
+The so-called "blueprint" feature returns to the concept of static utility
+methods. Why are these considered a liability? Because your trusted code
+presumptuously extends your trust via public methods to any class in the JVM,
+almost certainly contrary to the wishes of the owner of that JVM. Our
+blueprint technique allows you to define (or reuse) static utility methods
+in a secure way: simply define these utility methods in a
+`SecurityManager`-agnostic manner and let the consuming class request that
+calls to them be treated as blueprints for `@Privileged` methods:
+
+```java
+public class Utils {
+ public static void doSomethingThatRequiresPrivileges() {
+ ...
+ }
+}
+
+@Privilizing(CallTo(Utils.class))
+public class UtilsClient {
+ public void foo() {
+ Utils.doSomethingThatRequiresPrivileges();
+ }
+}
+```
+
+The static methods of the `Utils` class will be called as though they had been
+locally declared and annotated with `@Privileged`.
+
+*Q:* What if my utility methods access static variables of their declaring class?
+
+*A:* The imported methods reference those fields via reflection; i.e. the
+ original fields are used.
+
+*Q:* Does this modify the accessibility of those fields?
+
+*A:* Yes, but only for the duration of the method implementation. The fields'
+ accessibility is checked before execution, and if a given field is not
+ accessible on the way in, it will be restored to its original state in
+ a `finally` block.
+
+### Configuration
+The `PrivilizerWeaver` supports the following options:
+
+- `privilizer.accessLevel` : name of the highest [AccessLevel][accessLevel] to privilize (default `PRIVATE`)
+- `privilizer.policy` : name of the [Policy][policy] (determines when to check for a `SecurityManager`)
+
+[privileged]: ../../apidocs/org/apache/commons/weaver/privilizer/Privileged.html
+[privilizerWeaver]: ../../apidocs/org/apache/commons/weaver/privilizer/PrivilizerWeaver.html
+[policy]: ../../apidocs/org/apache/commons/weaver/privilizer/Policy.html
+[accessLevel]: ../../apidocs/org/apache/commons/weaver/privilizer/AccessLevel.html