You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@river.apache.org by Peter Firmstone <ji...@zeus.net.au> on 2010/06/27 23:24:41 UTC

Proxy Trust & Code base Provisioning using Maven.

Hi,

Just thought I'd start a conversation about proxy trust.

net.jini.security has mechanisms to establish proxy trust.

 From the package discussion:

    Note that trust verification does not prevent denial-of-service
    attacks. If a proxy that uses untrusted code is unmarshalled, the
    untrusted code can execute before trust verification takes place. In
    deployments where the trusted sources of downloaded code are known
    in advance, the |RequireDlPermProvider|
    <http://www.gigaspaces.com/docs/JiniApi/net/jini/loader/pref/RequireDlPermProvider.html>
    can be used to prevent code downloading from untrusted sources.


I'd like to continue the discussion we were having about using Maven to 
provision code.

If n CodeSource Entry, can advertise what archives and versions are 
required, then we can also narrow our lookup results to reduce codebase 
downloads too.  But as Dennis suggested this can be used to provision 
trusted code.

Note the new mechanisms I've provided in RevokeableDyanmicPolicy allow 
trust to be changed, this might change base on events, in response to 
vulnerabilities.  It can also be used to grant levels of trust to 
CodeSources signed by trusted developers, prior to downloading those 
sources.  I'd also like to adopt OSGi's method of Documenting the 
Permission's required by a jar archive, in the Jar archive itself and 
restricting the permissions it can attain to those alone.

There is both Code Trust and Subject Trust to contend with.

One trusted code has been provisioned, then the ProxyTrust process can 
be followed as usual.

To quote net.jini.security again:

    When a client obtains a proxy from somewhere, normally the client
    should follow these three steps before making any remote calls
    through the proxy or handing any sensitive data to the proxy:

        * Verify that the proxy can be trusted
          <http://www.gigaspaces.com/docs/JiniApi/net/jini/security/package-summary.html#proxy_trust>

        * Attach client constraints
          <http://www.gigaspaces.com/docs/JiniApi/net/jini/core/constraint/package-summary.html#constraints>
          to (a copy of) the proxy
        * Grant
          <http://www.gigaspaces.com/docs/JiniApi/net/jini/security/package-summary.html#dynamic_grants>
          permissions (such as |AuthenticationPermission|
          <http://www.gigaspaces.com/docs/JiniApi/net/jini/security/AuthenticationPermission.html>)
          to the proxy

    The first step can be accomplished using
    |Security.verifyObjectTrust|
    <http://www.gigaspaces.com/docs/JiniApi/net/jini/security/Security.html#verifyObjectTrust%28java.lang.Object,%20java.lang.ClassLoader,%20java.util.Collection%29>.
    The second step can be accomplished using
    |RemoteMethodControl.setConstraints|
    <http://www.gigaspaces.com/docs/JiniApi/net/jini/core/constraint/RemoteMethodControl.html#setConstraints%28net.jini.core.constraint.MethodConstraints%29>;
    |BasicMethodConstraints|
    <http://www.gigaspaces.com/docs/JiniApi/net/jini/constraint/BasicMethodConstraints.html>
    is a basic implementation of |MethodConstraints|
    <http://www.gigaspaces.com/docs/JiniApi/net/jini/core/constraint/MethodConstraints.html>.
    The last step can be accomplished using |Security.grant|
    <http://www.gigaspaces.com/docs/JiniApi/net/jini/security/Security.html#grant%28java.lang.Class,%20java.security.Permission%5B%5D%29>.

Regards,

Peter.