You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@aries.apache.org by Peter Firmstone <pe...@zeus.net.au> on 2022/02/18 08:21:57 UTC
Isolation of dynamically downloaded service proxy code
Hi,
I'm looking to solve a difficult long term problem using OSGi Subprocess
Isolation. This code has a history dating back to the late 90s and in
the last couple of years, ported to OSGi, all modules are also OSGi
bundles. There are downstream developers currently using it with OSGi.
https://github.com/pfirmstone/JGDMS/wiki/OSGi-and-JGDMS
A basic description: multiple entities cooperating over networks using
services. Clients lookup services and use them, share them, listen for
events, these services have proxy bundles, loaded just prior to
unmarshaling of proxy objects. Multiple services may use the same
bundle version, however we need to keep proxy bundles separate in their
own namespace, as these services may be provided by separate companies
or individuals.
Some background on the software platform and the problem:
1. Distributed service architecture, using Java and dynamic code,
predates OSGi remote services.
2. Contains a Service provider implementation; uses the same META-INF
jar declaration of Java SPI, but predates it. This service provider
has been since modified to export OSGi services, when OSGi is used.
3. Uses Java serialization stream protocol for marshaling objects, but
doesn't support serialized object graphs with circular references,
is a re-implementation of Java serialization. Uses a constructor
signature for deserialization. Validates input, type checks
parameters, atomic failure to prevent gadget attacks. Also
authenticates remote endpoint and associates principles with thread
performing de-serialization, for authorization to de-serialize.
4. Assigns ClassLoaders to both local and remote network connection
Endpoints, allows identical bundles to be used so that class
resolution is identical, once the connection is set up, class
resolution is determined by the Endpoint ClassLoader. A provider
interface ProxyCodebaseSpi (an OSGi service) is used to provide the
Endpoint ClassLoader, a CodebaseAccessor (remote service) is passed
to ProxyCodebaseSpi, from which it obtains information pertaining to
the proxy codebase.
5. CodebaseAccessor remote service, provides a URI string and code
signer certficates and is also used for authentication of the remote
service, prior to the ProxyCodebaseSpi wiring up and bundles for the
service proxy.
6. Uses an extensible communication layer and supports TLSv1.3 with
stateless session tickets, as well as HTTPS and Kerberos.
7. User Subject principals are obtained from the AccessControlContext
of threads calling the Endpoints for authentication, threads in the
remote JVM run with user principals authenticated from the local
jvm, for authorization and access.
8. Service proxy requires its own identity and namespace. The identity
of the service proxy is represented by the ClassLoader for the
proxy, permissions are granted dynamically at runtime.
9. Other services with different identity may use the same proxy
bundles, but must not share.
10. The Service API bundle must be shared between client code and proxy
code, so that client and proxy code share common interfaces. Client
and proxy depend on the service api bundle. Proxy bundle is private
implementation.
11. A client may use many remote services, with different server
subjects, however their proxy codebase bundles may be identical, but
must not be shared. Investigating using subprocess isolation.
12. Distributed service registry's (lookup services) are discovered
dynamically over IPv6 multicast. Local network request and
announcement protocols. Global network announce protocol.
The software platform can be found here: https://github.com/pfirmstone/JGDMS
I'm learning how to use the ESA Maven plugin and have created a couple
of ESA archives, for a service and its proxy, this is the lookup service:
https://github.com/pfirmstone/JGDMS/tree/trunk/JGDMS/services/reggie
Thanks in advance for any suggestions or recommendations.
--
Regards,
Peter