You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@river.apache.org by pe...@apache.org on 2010/05/12 12:54:24 UTC
svn commit: r943444 - in
/incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy:
concurrent/DynamicConcurrentPolicyProvider.java util/PolicyEntry.java
util/PolicyUtils.java
Author: peter_firmstone
Date: Wed May 12 10:54:23 2010
New Revision: 943444
URL: http://svn.apache.org/viewvc?rev=943444&view=rev
Log:
River-323 Just some more refactoring still experiencing failled tests
This will break some tests causing a failled Hudson build, however I think it best to get the code out there, so I can get some assistance.
By default the qa tests now utilise the ConcurrentDynamicPolicyProvider and DynamicPolicyProvider uses a pluggable SPI.
Modified:
incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/concurrent/DynamicConcurrentPolicyProvider.java
incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyEntry.java
incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyUtils.java
Modified: incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/concurrent/DynamicConcurrentPolicyProvider.java
URL: http://svn.apache.org/viewvc/incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/concurrent/DynamicConcurrentPolicyProvider.java?rev=943444&r1=943443&r2=943444&view=diff
==============================================================================
--- incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/concurrent/DynamicConcurrentPolicyProvider.java (original)
+++ incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/concurrent/DynamicConcurrentPolicyProvider.java Wed May 12 10:54:23 2010
@@ -294,7 +294,7 @@ public class DynamicConcurrentPolicyProv
// //if (pc == null) pc = new ConcurrentPermissions();
// if (pc == null) pc = new Permissions();
//// if (!(pc instanceof ConcurrentPermissions)) {
-//// pc = PolicyUtils.toConcurrentPermissions(pc);
+//// pc = PolicyUtils.toConcurrentPermissionsCopy(pc);
//// }
// PermissionCollection existed = cache.putIfAbsent(domain, pc);
// if ( !(existed == null) ){ pc = existed;} //Another thread might have just done it!
@@ -335,13 +335,15 @@ public class DynamicConcurrentPolicyProv
pc = cache.get(domain); // saves new object creation.
if (pc == null){
pc = basePolicy.getPermissions(domain);
- if (pc == null) pc = new ConcurrentPermissions();
-// if (pc == null) pc = new Permissions();
- if (!(pc instanceof ConcurrentPermissions)) {
- pc = PolicyUtils.toConcurrentPermissions(pc);
- }
+ /* Don't use the underlying policy permission collection otherwise
+ * we can leak grants in to the underlying policy from our cache,
+ * this could then be merged into the PermissionDomain's permission
+ * cache negating the possiblity of revoking the permission. This
+ * PolicyUtils method defensively copies or creates new if null.
+ */
+ pc = PolicyUtils.toConcurrentPermissionsCopy(pc);
PermissionCollection existed = cache.putIfAbsent(domain, pc);
- if ( !(existed == null) ){ pc = existed;} //Another thread might have just done it!
+ if ( (existed != null) ){ pc = existed;} //Another thread might have just done it!
}
Iterator<Permission> dgpi = dynamicallyGrantedPermissions.iterator();
while (dgpi.hasNext()){
Modified: incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyEntry.java
URL: http://svn.apache.org/viewvc/incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyEntry.java?rev=943444&r1=943443&r2=943444&view=diff
==============================================================================
--- incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyEntry.java (original)
+++ incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyEntry.java Wed May 12 10:54:23 2010
@@ -101,11 +101,6 @@ public final class PolicyEntry {
public PolicyEntry(ProtectionDomain pd, Collection<? extends Principal> prs,
Collection<? extends Permission> permissions ){
- CodeSource cs = null;
- if (pd != null){
- cs = pd.getCodeSource();
- }
- this.cs = (cs != null) ? normalizeCodeSource(cs) : null;
if ( prs == null || prs.isEmpty()) {
this.principals = Collections.emptyList(); // Java 1.5
}else{
@@ -118,18 +113,26 @@ public final class PolicyEntry {
this.permissions = new HashSet<Permission>(permissions.size());
this.permissions.addAll(permissions);
}
- domain = new WeakReference<ProtectionDomain>(pd);
- hasDomain = ( pd != null);
/* Effectively immutable, this will make any hash this is contained in perform.
* May need to consider Serializable for this class yet, we'll see.
*/
if (pd == null){
+ hasDomain = false;
+ domain = null;
+ cs = null;
hashcode = (principals.hashCode() + this.permissions.hashCode()
- Boolean.valueOf(hasDomain).hashCode());
} else {
- int codeBaseHash = 0;
- if (cs != null){
- codeBaseHash = cs.hashCode();
+ hasDomain = true;
+ domain = new WeakReference<ProtectionDomain>(pd);
+ CodeSource code = pd.getCodeSource();
+ int codeBaseHash;
+ if (code != null){
+ codeBaseHash = code.hashCode();
+ cs = normalizeCodeSource(code);
+ } else {
+ cs = null;
+ codeBaseHash = 0;
}
hashcode = (pd.hashCode() + principals.hashCode()
+ this.permissions.hashCode() + codeBaseHash
@@ -181,13 +184,15 @@ public final class PolicyEntry {
* Checks if specified Principals match this PolicyEntry. Null or empty set
* of Principals of PolicyEntry implies any Principals; otherwise specified
* array must contain all Principals of this PolicyEntry.
+ * @param prs
+ * @return
*/
public boolean impliesPrincipals(Principal[] prs) {
- // return PolicyUtils.matchSubset(principals, prs);
- if ( principals.isEmpty()) return true;
- if ( prs == null || prs.length == 0 ) return false;
- List<Principal> princp = Arrays.asList(prs);
- return princp.containsAll(principals);
+ return PolicyUtils.matchSubset(principals.toArray(new Principal[principals.size()]), prs);
+// if ( principals.isEmpty()) return true;
+// if ( prs == null || prs.length == 0 ) return false;
+// List<Principal> princp = Arrays.asList(prs);
+// return princp.containsAll(principals);
}
/**
Modified: incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyUtils.java
URL: http://svn.apache.org/viewvc/incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyUtils.java?rev=943444&r1=943443&r2=943444&view=diff
==============================================================================
--- incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyUtils.java (original)
+++ incubator/river/jtsk/trunk/src/org/apache/river/imp/security/policy/util/PolicyUtils.java Wed May 12 10:54:23 2010
@@ -552,16 +552,17 @@ public class PolicyUtils {
}
/**
- * Converts common-purpose homegeneous or heterogeneous PermissionCollection
- * to a hetergeneous PermissionCollection.
+ * Copies a common-purpose homegeneous or heterogeneous PermissionCollection
+ * to a hetergeneous PermissionCollection based on ConcurrentPermissions.
*
- * @param perms a PermissionCollection containing arbitrary permissions.
+ * @param perms a PermissionCollection containing arbitrary permissions. Null
+ * is permitted.
* @return mutable heterogeneous PermissionCollection containing all Permissions
- * from the specified PermissionCollection
+ * from the specified PermissionCollection. An empty PermissionCollection
+ * is returned if parameter is null.
*/
public static PermissionCollection
- toConcurrentPermissions(PermissionCollection perms) {
- if (perms instanceof ConcurrentPermissions) return perms;
+ toConcurrentPermissionsCopy(PermissionCollection perms) {
PermissionCollection pc = new ConcurrentPermissions();
if (perms != null) {
Enumeration<Permission> iter = perms.elements();