You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@river.apache.org by pe...@apache.org on 2011/01/13 12:02:14 UTC
svn commit: r1058501 - in /incubator/river/jtsk/skunk/modules:
river-platform/src/main/java/net/jini/security/
river-platform/src/main/java/net/jini/security/proxytrust/
river-policy/src/main/java/net/jini/security/
river-policy/src/main/java/net/jini/...
Author: peter_firmstone
Date: Thu Jan 13 11:02:13 2011
New Revision: 1058501
URL: http://svn.apache.org/viewvc?rev=1058501&view=rev
Log:
River-300 copy river-platform module java source files from trunk
Added:
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/AccessPermission.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/AccessPermission.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/AuthenticationPermission.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/AuthenticationPermission.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/BasicProxyPreparer.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/BasicProxyPreparer.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/IntegrityVerifier.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/IntegrityVerifier.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/ProxyPreparer.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/ProxyPreparer.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/Security.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/Security.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/TrustVerifier.java (with props)
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/VerifyingProxyPreparer.java (with props)
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/package.html (with props)
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/BasicUntrustedObjectSecurityContext.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/BasicUntrustedObjectSecurityContext.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/ProxyTrust.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrust.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/ProxyTrustExporter.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustExporter.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/ProxyTrustInvocationHandler.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustInvocationHandler.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/ProxyTrustIterator.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustIterator.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/ProxyTrustVerifier.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustVerifier.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/ServerProxyTrust.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ServerProxyTrust.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/SingletonProxyTrustIterator.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/SingletonProxyTrustIterator.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/TrustEquivalence.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/TrustEquivalence.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/UntrustedObjectSecurityContext.java
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/UntrustedObjectSecurityContext.java
incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/proxytrust/package.html
- copied unchanged from r1058489, incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/package.html
Removed:
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/AccessPermission.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/AuthenticationPermission.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/BasicProxyPreparer.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/IntegrityVerifier.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/ProxyPreparer.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/Security.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/TrustVerifier.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/VerifyingProxyPreparer.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/package.html
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/BasicUntrustedObjectSecurityContext.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrust.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustExporter.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustInvocationHandler.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustIterator.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ProxyTrustVerifier.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/ServerProxyTrust.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/SingletonProxyTrustIterator.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/TrustEquivalence.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/UntrustedObjectSecurityContext.java
incubator/river/jtsk/skunk/modules/river-policy/src/main/java/net/jini/security/proxytrust/package.html
Added: incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/TrustVerifier.java
URL: http://svn.apache.org/viewvc/incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/TrustVerifier.java?rev=1058501&view=auto
==============================================================================
--- incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/TrustVerifier.java (added)
+++ incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/TrustVerifier.java Thu Jan 13 11:02:13 2011
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jini.security;
+
+import java.rmi.RemoteException;
+import java.util.Collection;
+
+/**
+ * Defines the interface for trust verifiers used by
+ * {@link Security#verifyObjectTrust Security.verifyObjectTrust}, allowing
+ * the objects that are trusted to be extended.
+ *
+ * @author Sun Microsystems, Inc.
+ *
+ * @since 2.0
+ */
+public interface TrustVerifier {
+ /**
+ * Returns <code>true</code> if the specified object is known to be
+ * trusted to correctly implement its contract; returns <code>false</code>
+ * otherwise.
+ *
+ * @param obj the object in which to verify trust
+ * @param ctx the trust verifier context, to aid in verification of
+ * the specified object and its components
+ * @return <code>true</code> if the specified object is known to be
+ * trusted to correctly implement its contract; <code>false</code>
+ * otherwise
+ * @throws RemoteException if a communication-related exception occurs
+ * @throws SecurityException if a security exception occurs
+ * @throws NullPointerException if any argument is <code>null</code>
+ */
+ boolean isTrustedObject(Object obj, Context ctx)
+ throws RemoteException;
+
+ /**
+ * Defines the context for trust verification used by
+ * {@link TrustVerifier} instances and {@link Security#verifyObjectTrust
+ * Security.verifyObjectTrust}. A context contains an ordered list of
+ * {@link TrustVerifier} instances, a class loader, and a collection of
+ * other context objects typically provided by the caller of
+ * <code>Security.verifyObjectTrust</code>.
+ *
+ * @since 2.0
+ */
+ public interface Context {
+ /**
+ * Returns <code>true</code> if the specified object is trusted to
+ * correctly implement its contract; returns <code>false</code>
+ * otherwise.
+ * <p>
+ * If the specified object is <code>null</code>, this method returns
+ * <code>true</code>. Otherwise, the
+ * {@link TrustVerifier#isTrustedObject isTrustedObject} method of
+ * each verifier contained in this context is called (in order) with
+ * the specified object and this context. If any verifier call returns
+ * <code>true</code>, the object is trusted and this method returns
+ * <code>true</code>. If all of the verifier calls return
+ * <code>false</code>, this method returns <code>false</code>.
+ * If one or more verifier calls throw a <code>RemoteException</code>
+ * or <code>SecurityException</code>, the last such exception is
+ * thrown to the caller (unless some verifier call returns
+ * <code>true</code>).
+ *
+ * @param obj the object in which to verify trust
+ * @return <code>true</code> if the specified object is trusted to
+ * correctly implements its contract; <code>false</code> otherwise
+ * @throws RemoteException if a communication-related exception occurs
+ * @throws SecurityException if a security exception occurs
+ */
+ boolean isTrustedObject(Object obj) throws RemoteException;
+
+ /**
+ * Returns the class loader that can be used as a basis for trust
+ * verification. In particular, classes and resources reachable from
+ * this class loader can be assumed to be trustworthy. A
+ * <code>null</code> value is interpreted to mean the current context
+ * class loader.
+ *
+ * @return the class loader that can be used as a basis for trust
+ * verification
+ */
+ ClassLoader getClassLoader();
+
+ /**
+ * Returns a collection of context objects for use by trust verifiers.
+ * The meaning of an element in this collection is determined by its
+ * type. As a specific example, a
+ * {@link net.jini.core.constraint.MethodConstraints}
+ * instance could be used to specify client constraints for any remote
+ * calls that trust verifiers might need to perform.
+ *
+ * @return a collection of context objects for use by trust verifiers
+ */
+ Collection getCallerContext();
+ }
+}
Propchange: incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/TrustVerifier.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/VerifyingProxyPreparer.java
URL: http://svn.apache.org/viewvc/incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/VerifyingProxyPreparer.java?rev=1058501&view=auto
==============================================================================
--- incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/VerifyingProxyPreparer.java (added)
+++ incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/VerifyingProxyPreparer.java Thu Jan 13 11:02:13 2011
@@ -0,0 +1,399 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jini.security;
+
+import java.rmi.RemoteException;
+import java.security.Permission;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
+import net.jini.core.constraint.MethodConstraints;
+import net.jini.core.constraint.RemoteMethodControl;
+
+/**
+ * A <code>ProxyPreparer</code> for verifying that proxies are trusted,
+ * dynamically granting permissions to trusted proxies, and optionally
+ * setting the client constraints on trusted proxies.
+ *
+ * @author Sun Microsystems, Inc.
+ * @since 2.1
+ */
+public final class VerifyingProxyPreparer implements ProxyPreparer {
+
+ /** Set constraints on proxy from context. */
+ private static final int SET_CONSTRAINTS = 1;
+ /** No change to proxy or context. */
+ private static final int AS_IS = 2;
+ /** Add proxy's constraints to context. */
+ private static final int ADD_CONSTRAINTS = 3;
+
+ /** SET_CONSTRAINTS, AS_IS, or ADD_CONSTRAINTS. */
+ private final int type;
+ /** Class loader to pass to verifyObjectTrust. */
+ private final ClassLoader loader;
+ /** Trust verifier context elements. */
+ private final Object[] contextElements;
+ /** Principals to scope the permission grant, if any. */
+ private final Principal[] principals;
+ /** Permissions to dynamically grant. */
+ private final Permission[] permissions;
+
+ /**
+ * Creates a proxy preparer that verifies proxies using the context
+ * class loader and specified trust verifier context elements, dynamically
+ * grants the specified permissions to trusted proxies for the principals
+ * of the preparing thread's subject, and returns trusted proxies with
+ * their client constraints set to the constraints specified as a trust
+ * verifier context element. The arrays passed to this constructor are
+ * neither modified nor retained; subsequent changes to the arrays have no
+ * effect on the instance created.
+ *
+ * @param contextElements the trust verifier context elements
+ * @param permissions the permissions to dynamically grant, or
+ * <code>null</code> if no permissions should be granted
+ * @throws NullPointerException if <code>contextElements</code> is
+ * <code>null</code> or any element of <code>permissions</code> is
+ * <code>null</code>
+ * @throws IllegalArgumentException if no element of
+ * <code>contextElements</code> is an instance of {@link MethodConstraints}
+ */
+ public VerifyingProxyPreparer(Object[] contextElements,
+ Permission[] permissions)
+ {
+ this(null, contextElements, null, permissions);
+ }
+
+ /**
+ * Creates a proxy preparer that verifies proxies using the specified
+ * class loader and trust verifier context elements, dynamically grants
+ * the specified permissions to trusted proxies for the specified
+ * principals, and returns trusted proxies with their client constraints
+ * set to the constraints specified as a trust verifier context element.
+ * The arrays passed to this constructor are neither modified nor
+ * retained; subsequent changes to the arrays have no effect on the
+ * instance created.
+ *
+ * @param loader the class loader for finding trust verifiers, or
+ * <code>null</code> to use the context class loader
+ * @param contextElements the trust verifier context elements
+ * @param principals minimum set of principals to which grants apply, or
+ * <code>null</code> to use the principals of the preparing thread's
+ * subject
+ * @param permissions the permissions to dynamically grant, or
+ * <code>null</code> if no permissions should be granted
+ * @throws NullPointerException if <code>contextElements</code> is
+ * <code>null</code> or any element of <code>principals</code> or
+ * <code>permissions</code> is <code>null</code>
+ * @throws IllegalArgumentException if no element of
+ * <code>contextElements</code> is an instance of {@link MethodConstraints}
+ */
+ public VerifyingProxyPreparer(ClassLoader loader,
+ Object[] contextElements,
+ Principal[] principals,
+ Permission[] permissions)
+ {
+ type = SET_CONSTRAINTS;
+ this.loader = loader;
+ this.contextElements = (Object[]) contextElements.clone();
+ this.principals = checkPrincipals(principals);
+ this.permissions = checkPermissions(permissions);
+ for (int i = this.contextElements.length; --i >= 0; ) {
+ if (this.contextElements[i] instanceof MethodConstraints) {
+ return;
+ }
+ }
+ throw new IllegalArgumentException("no MethodConstraints in context");
+ }
+
+ /**
+ * Creates a proxy preparer that verifies proxies using the specified
+ * class loader and trust verifier context elements (optionally with
+ * the proxy's client constraints as an additional context element),
+ * dynamically grants the specified permissions to trusted proxies for the
+ * specified principals, and returns trusted proxies with their original
+ * client constraints intact. The arrays passed to this constructor are
+ * neither modified nor retained; subsequent changes to the arrays have no
+ * effect on the instance created.
+ *
+ * @param addProxyConstraints <code>true</code> if the proxy's client
+ * constraints should be included as a trust verifier context element,
+ * <code>false</code> otherwise
+ * @param loader the class loader for finding trust verifiers, or
+ * <code>null</code> to use the context class loader
+ * @param contextElements the trust verifier context elements, or
+ * <code>null</code> if no elements need to be supplied
+ * @param principals minimum set of principals to which grants apply, or
+ * <code>null</code> to use the principals of the preparing thread's
+ * subject
+ * @param permissions the permissions to dynamically grant, or
+ * <code>null</code> if no permissions should be granted
+ * @throws NullPointerException if any element of <code>principals</code>
+ * or <code>permissions</code> is <code>null</code>
+ */
+ public VerifyingProxyPreparer(boolean addProxyConstraints,
+ ClassLoader loader,
+ Object[] contextElements,
+ Principal[] principals,
+ Permission[] permissions)
+ {
+ type = addProxyConstraints ? ADD_CONSTRAINTS : AS_IS;
+ this.loader = loader;
+ this.contextElements = contextElements == null ?
+ new Object[0] : (Object[]) contextElements.clone();
+ this.principals = checkPrincipals(principals);
+ this.permissions = checkPermissions(permissions);
+ }
+
+ /** Clones the argument, checks for null elements, returns non-null. */
+ private static Permission[] checkPermissions(Permission[] permissions) {
+ if (permissions == null) {
+ return new Permission[0];
+ }
+ permissions = (Permission[]) permissions.clone();
+ for (int i = permissions.length; --i >= 0; ) {
+ if (permissions[i] == null) {
+ throw new NullPointerException("permission cannot be null");
+ }
+ }
+ return permissions;
+ }
+
+ /** Clones the argument, checks for null elements. */
+ private static Principal[] checkPrincipals(Principal[] principals) {
+ if (principals == null) {
+ return null;
+ }
+ principals = (Principal[]) principals.clone();
+ for (int i = principals.length; --i >= 0; ) {
+ if (principals[i] == null) {
+ throw new NullPointerException("principal cannot be null");
+ }
+ }
+ return principals;
+ }
+
+ /**
+ * Performs operations on a proxy to prepare it for use, returning the
+ * prepared proxy, which may or may not be the argument itself.
+ * <p>
+ * If this preparer was created using the two-argument or four-argument
+ * constructor, or using the five-argument constructor
+ * with <code>addProxyConstraints</code> set to <code>true</code>, and if
+ * the specified proxy is not an instance of {@link RemoteMethodControl},
+ * then a <code>SecurityException</code> is thrown. Otherwise,
+ * {@link Security#verifyObjectTrust Security.verifyObjectTrust} is
+ * invoked with the specified proxy, the class loader that was passed to
+ * the constructor of this preparer (or <code>null</code> if the
+ * two-argument constructor was used), and a trust verifier context
+ * collection containing all of the context elements that were passed to
+ * the constructor of this preparer. If this preparer was created using
+ * the five-arguent constructor with <code>addProxyConstraints</code>
+ * set to <code>true</code>, then the proxy's client constraints (obtained
+ * by calling {@link RemoteMethodControl#getConstraints getConstraints} on
+ * the proxy) are included as an additional context element. Any exception
+ * thrown by <code>verifyObjectTrust</code> is thrown by this method. If
+ * this preparer was created with a non-<code>null</code> array of
+ * principals and one or more permissions, then
+ * {@link Security#grant(Class,Principal[],Permission[]) Security.grant}
+ * is invoked with the proxy's class and those principals and permissions.
+ * If this preparer was created with no array of principals (either
+ * <code>null</code> was specified or the two-argument constructor was
+ * used) but one or more permissions, then
+ * {@link Security#grant(Class,Permission[]) Security.grant} is invoked
+ * with the proxy's class and those permissions. In either case, if
+ * <code>grant</code>
+ * throws an {@link UnsupportedOperationException}, this method throws
+ * a <code>SecurityException</code>. Finally, if this preparer was
+ * created using the five-argument constructor, then the original proxy
+ * is returned, otherwise what is returned is the result of calling
+ * {@link RemoteMethodControl#setConstraints
+ * RemoteMethodControl.setConstraints} on the proxy, passing the first
+ * trust verifier context element that is an instance of
+ * {@link MethodConstraints}.
+ *
+ * @param proxy the proxy to prepare
+ * @return the prepared proxy
+ * @throws NullPointerException if <code>proxy</code> is <code>null</code>
+ * @throws RemoteException if a communication-related exception occurs
+ * @throws SecurityException if a security exception occurs
+ */
+ public Object prepareProxy(Object proxy) throws RemoteException {
+ if (proxy == null) {
+ throw new NullPointerException("proxy cannot be null");
+ } else if (type != AS_IS && !(proxy instanceof RemoteMethodControl)) {
+ throw new SecurityException(
+ "proxy must implement RemoteMethodControl");
+ }
+ Object[] elts = contextElements;
+ if (type == ADD_CONSTRAINTS) {
+ elts = new Object[contextElements.length + 1];
+ elts[0] = ((RemoteMethodControl) proxy).getConstraints();
+ System.arraycopy(contextElements, 0, elts, 1,
+ contextElements.length);
+ }
+ Security.verifyObjectTrust(proxy, loader,
+ Collections.unmodifiableCollection(
+ Arrays.asList(elts)));
+ if (permissions.length > 0) {
+ try {
+ if (principals == null) {
+ Security.grant(proxy.getClass(), permissions);
+ } else {
+ Security.grant(proxy.getClass(), principals, permissions);
+ }
+ } catch (UnsupportedOperationException e) {
+ SecurityException se = new SecurityException(
+ "dynamic permission grants are not supported");
+ se.initCause(e);
+ throw se;
+ }
+ }
+ if (type == SET_CONSTRAINTS) {
+ for (int i = 0; i < contextElements.length; i++) {
+ Object elt = contextElements[i];
+ if (elt instanceof MethodConstraints) {
+ return ((RemoteMethodControl) proxy).setConstraints(
+ (MethodConstraints) elt);
+ }
+ }
+ }
+ return proxy;
+ }
+
+ /** Returns a string representation of this object. */
+ public String toString() {
+ StringBuffer sb = new StringBuffer("VerifyingProxyPreparer[");
+ if (type != SET_CONSTRAINTS) {
+ sb.append(type == AS_IS ? "false, " : "true, ");
+ }
+ sb.append(loader);
+ sb.append(", {");
+ for (int i = 0; i < contextElements.length; i++) {
+ if (i > 0) {
+ sb.append(", ");
+ }
+ sb.append(contextElements[i]);
+ }
+ if (principals == null) {
+ sb.append("}, null, {");
+ } else {
+ sb.append("}, {");
+ for (int i = 0; i < principals.length; i++) {
+ if (i > 0) {
+ sb.append(", ");
+ }
+ sb.append(principals[i]);
+ }
+ sb.append("}, {");
+ }
+ for (int i = 0; i < permissions.length; i++) {
+ if (i > 0) {
+ sb.append(", ");
+ }
+ sb.append(permissions[i]);
+ }
+ sb.append("}]");
+ return sb.toString();
+ }
+
+ /**
+ * Returns <code>true</code> if the specified object and this object
+ * are both instances of this class that were constructed with equivalent
+ * arguments. The order of trust verifier context elements, principals,
+ * and permissions in the arrays that were passed to the constructor is
+ * not significant.
+ */
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ } else if (!(obj instanceof VerifyingProxyPreparer)) {
+ return false;
+ }
+ VerifyingProxyPreparer other = (VerifyingProxyPreparer) obj;
+ if (type != other.type ||
+ loader != other.loader ||
+ contextElements.length != other.contextElements.length ||
+ (principals == null) != (other.principals == null) ||
+ (principals != null &&
+ principals.length != other.principals.length) ||
+ permissions.length != other.permissions.length)
+ {
+ return false;
+ }
+ Object[] otherElts = (Object[]) other.contextElements.clone();
+ context:
+ for (int i = contextElements.length; --i >= 0; ) {
+ Object elt = contextElements[i];
+ for (int j = i; j >= 0; j--) {
+ if (elt.equals(otherElts[j])) {
+ otherElts[j] = otherElts[i];
+ continue context;
+ }
+ }
+ return false;
+ }
+ if (principals != null) {
+ Principal[] otherPrins = (Principal[]) other.principals.clone();
+ prins:
+ for (int i = principals.length; --i >= 0; ) {
+ Principal p = principals[i];
+ for (int j = i; j >= 0; j--) {
+ if (p.equals(otherPrins[j])) {
+ otherPrins[j] = otherPrins[i];
+ continue prins;
+ }
+ }
+ return false;
+ }
+ }
+ Permission[] otherPerms = (Permission[]) other.permissions.clone();
+ perms:
+ for (int i = permissions.length; --i >= 0; ) {
+ Permission p = permissions[i];
+ for (int j = i; j >= 0; j--) {
+ if (p.equals(otherPerms[j])) {
+ otherPerms[j] = otherPerms[i];
+ continue perms;
+ }
+ }
+ return false;
+ }
+ return true;
+ }
+
+ /** Returns a hash code value for this object. */
+ public int hashCode() {
+ int hash = type;
+ if (loader != null) {
+ hash += loader.hashCode();
+ }
+ for (int i = contextElements.length; --i >= 0; ) {
+ hash += contextElements[i].hashCode();
+ }
+ if (principals != null) {
+ for (int i = principals.length; --i >= 0; ) {
+ hash += principals[i].hashCode();
+ }
+ }
+ for (int i = permissions.length; --i >= 0; ) {
+ hash += permissions[i].hashCode();
+ }
+ return hash;
+ }
+}
Propchange: incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/VerifyingProxyPreparer.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/package.html
URL: http://svn.apache.org/viewvc/incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/package.html?rev=1058501&view=auto
==============================================================================
--- incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/package.html (added)
+++ incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/package.html Thu Jan 13 11:02:13 2011
@@ -0,0 +1,217 @@
+<!--
+ ! Licensed to the Apache Software Foundation (ASF) under one
+ ! or more contributor license agreements. See the NOTICE file
+ ! distributed with this work for additional information
+ ! regarding copyright ownership. The ASF licenses this file
+ ! to you under the Apache License, Version 2.0 (the
+ ! "License"); you may not use this file except in compliance
+ ! with the License. You may obtain a copy of the License at
+ !
+ ! http://www.apache.org/licenses/LICENSE-2.0
+ !
+ ! Unless required by applicable law or agreed to in writing, software
+ ! distributed under the License is distributed on an "AS IS" BASIS,
+ ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ! See the License for the specific language governing permissions and
+ ! limitations under the License.
+ !-->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+
+
+</head>
+<body bgcolor="white">
+
+Provides mechanisms and abstractions for managing security, especially in the
+presence of dynamically downloaded code. The mechanisms include:
+<ul>
+<li>A provider-based mechanism for clients to verify that proxies can be
+trusted
+<li>A provider-based mechanism for verifying code integrity
+<li>A provider-based mechanism for clients to dynamically grant permissions
+to proxies
+</ul>
+
+<a name="programming_model"></a><h2>Programming Model</h2>
+
+When a client obtains a proxy from somewhere, normally the client should
+follow these three steps before making any remote calls through the proxy or
+handing any sensitive data to the proxy:
+<ul>
+<li>Verify that the proxy can be <a href="#proxy_trust">trusted</a>
+<li>Attach client
+<a href="../core/constraint/package-summary.html#constraints">constraints</a>
+to (a copy of) the proxy
+<li><a href="#dynamic_grants">Grant</a> permissions (such as
+{@link net.jini.security.AuthenticationPermission}) to the
+proxy
+</ul>
+The first step can be accomplished using
+{@link net.jini.security.Security#verifyObjectTrust
+Security.verifyObjectTrust}. The second step can be accomplished using
+{@link
+net.jini.core.constraint.RemoteMethodControl#setConstraints
+RemoteMethodControl.setConstraints};
+{@link net.jini.constraint.BasicMethodConstraints} is a basic
+implementation of
+{@link net.jini.core.constraint.MethodConstraints}. The last
+step can be accomplished using
+{@link net.jini.security.Security#grant Security.grant}.
+<p>
+Normally the client should be written in such a way that it can be configured
+to allow for variations in the steps used to prepare a proxy for subsequent
+use. The usual way is to obtain a
+{@link net.jini.security.ProxyPreparer} from a
+{@link net.jini.config.Configuration}, using as a default value
+a {@link net.jini.security.BasicProxyPreparer} that simply
+returns the proxy. The client can then be configured at deployment time to
+perform whatever steps are desired.
+<pre>
+Configuration config = ...;
+SomeService proxy = ...;
+ProxyPreparer preparer = (ProxyPreparer) config.getEntry(
+ "MyClient", "someServicePreparer",
+ ProxyPreparer.class, new BasicProxyPreparer());
+proxy = (SomeService) preparer.prepareProxy(proxy);
+</pre>
+<p>
+{@link net.jini.security.BasicProxyPreparer} can be used to
+perform all combinations of these three common steps of proxy preparation.
+
+<a name="proxy_trust"></a><h2>Proxy Trust</h2>
+
+The basic proxy trust issue can be seen with an example. Suppose the client
+wants to make a remote call through a proxy. The proxy implements the
+{@link net.jini.core.constraint.RemoteMethodControl} interface,
+and the client attaches constraints to the proxy, requiring the server to
+authenticate as a particular principal. If the proxy code has been dynamically
+downloaded, and the client does nothing to verify that it trusts the proxy,
+then the downloaded code might simply ignore the client's constraints and
+perform no authentication at all. The proxy code might also corrupt the data
+being passed in the call, or perform some other unintended operation.
+<p>
+The client needs some way to decide that it trusts a proxy. Rather than
+mandating any specific mechanism(s), a pluggable framework is provided.
+The client calls
+{@link net.jini.security.Security#verifyObjectTrust
+Security.verifyObjectTrust}, passing the proxy and a caller context collection
+that typically contains a
+{@link net.jini.core.constraint.MethodConstraints} instance.
+This method uses whatever
+{@link net.jini.security.TrustVerifier} instances have been
+configured to determine if the proxy can be trusted; if any verifier says
+that it trusts the proxy, then the proxy is assumed to be trusted. If no
+verifier trusts the proxy, a <code>SecurityException</code> is thrown. The
+caller context collection contains whatever context information might be
+required by verifiers; a <code>MethodConstraints</code> element in the
+collection is typically used to control any calls to the remote server that
+are made by verifiers.
+<p>
+A baseline for deciding a proxy can be trusted is to examine the proxy and
+all of its constituent objects, excluding the client constraints, to ensure
+that they are all instances of locally trusted (typically, not downloaded)
+classes, containing trusted data. For example,
+{@link net.jini.jeri.BasicJeriTrustVerifier} provides this
+baseline for basic dynamic proxies of remote objects exported to use Jini
+extensible remote invocation (Jini ERI), in conjunction with
+{@link net.jini.constraint.ConstraintTrustVerifier}, which
+verifies the standard constraints.
+{@link net.jini.security.proxytrust.ProxyTrustVerifier} depends
+on this baseline as a bootstrap, but ultimately asks the server if it trusts
+the proxy.
+<p>
+The client constraints are excluded from the trust verification of a proxy
+because it is assumed that the caller will subsequently either replace them
+with its own constraints that are known to be trusted, or has independently
+decided to trust the existing client constraints.
+<p>
+Note that trust verification does not prevent denial-of-service attacks. If a
+proxy that uses untrusted code is unmarshalled, the untrusted code can execute
+before trust verification takes place. In deployments where the trusted
+sources of downloaded code are known in advance, the
+{@link net.jini.loader.pref.RequireDlPermProvider} can be used
+to prevent code downloading from untrusted sources.
+
+<a name="dynamic_grants"></a><h2>Dynamic Permission Grants</h2>
+
+Once a client decides that it trusts a proxy, it may need to grant additional
+permissions (such as
+{@link net.jini.security.AuthenticationPermission}) to that
+proxy, so that subsequent calls to the proxy operate correctly. It is
+important to delay granting such permissions until after the trust decision,
+so that an untrusted proxy cannot abuse the grants in a way that might cause
+harm.
+<p>
+Dynamic grants require support from the {@link java.security.Policy} provider.
+The {@link net.jini.security.policy} package provides a standard
+interface for security policy providers capable of dynamic permission grants,
+as well as a set of composable security policy providers supporting dynamic
+permission grants and aggregation of multiple security policies in a single
+virtual machine.
+<p>
+{@link net.jini.security.Security#grantSupported
+Security.grantSupported} can be used to determine if the installed security
+policy supports dynamic grants, and
+{@link net.jini.security.Security#grant Security.grant} can
+be used to make dynamic permission grants. The typical use is to grant
+permissions to the class loader of the proxy object's top-level class,
+coupled with the principals of the currently executing subject:
+<pre>
+SomeService proxy = ...;
+Permission[] grants = ...;
+Security.grant(proxy.getClass(), grants);
+</pre>
+In order to dynamically grant a permission, the client itself must have the
+corresponding {@link net.jini.security.GrantPermission}.
+Because the dynamic grant is coupled with the current subject, proxy code must
+assume that actions executed using
+{@link java.security.AccessController#doPrivileged
+AccessController.doPrivileged} will not have the granted permissions (because
+that method executes the action with no subject);
+{@link net.jini.security.Security#doPrivileged
+Security.doPrivileged} should be used instead to maintain the current subject
+and thereby enable privileges in a way that retains the granted permissions.
+
+<a name="code_integrity"></a><h2>Code Integrity</h2>
+
+As described in the {@link net.jini.core.constraint.Integrity}
+constraint class, for a remote call to have integrity, both code and data must
+have integrity, and a common technique is to use codebase URLs that provide
+content integrity. Rather than mandating which URLs provide content integrity,
+a pluggable framework is provided, and
+{@link net.jini.security.Security#verifyCodebaseIntegrity
+Security.verifyCodebaseIntegrity} can be used to determine if all of the
+URLs in a codebase provide content integrity, based on whatever
+{@link net.jini.security.IntegrityVerifier} instances
+have been configured. Application code normally does not call this method
+directly; rather, it is called by the input streams (such as
+{@link net.jini.io.MarshalInputStream}) used to unmarshal
+objects during a remote call. The
+{@link net.jini.url.httpmd.HttpmdIntegrityVerifier},
+{@link net.jini.url.https.HttpsIntegrityVerifier}, and
+{@link net.jini.url.file.FileIntegrityVerifier} classes are
+provided to verify the integrity of HTTPMD, HTTPS, and FILE URLs, respectively.
+
+@since 2.0
+@version 2.0
+
+<!--
+<h2>Package Specification</h2>
+
+##### FILL IN ANY SPECS NEEDED BY JAVA COMPATIBILITY KIT #####
+<ul>
+ <li><a href="">##### REFER TO ANY FRAMEMAKER SPECIFICATION HERE #####</a>
+</ul>
+
+<h2>Related Documentation</h2>
+
+For overviews, tutorials, examples, guides, and tool documentation, please see:
+<ul>
+ <li><a href="">##### REFER TO NON-SPEC DOCUMENTATION HERE #####</a>
+</ul>
+-->
+
+</body>
+</html>
Propchange: incubator/river/jtsk/skunk/modules/river-platform/src/main/java/net/jini/security/package.html
------------------------------------------------------------------------------
svn:eol-style = native