You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@river.apache.org by pe...@apache.org on 2012/01/09 14:12:54 UTC
svn commit: r1229137 [1/3] - in /river/jtsk/skunk/peterConcurrentPolicy:
qa/harness/policy/ qa/src/com/sun/jini/qa/harness/
qa/src/com/sun/jini/qa/resources/ qa/src/com/sun/jini/test/impl/start/
qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovid...
Author: peter_firmstone
Date: Mon Jan 9 13:12:52 2012
New Revision: 1229137
URL: http://svn.apache.org/viewvc?rev=1229137&view=rev
Log:
River-323.
Removed caches from the policy providers DynamicPolicyProvider and ConcurrentPolicyFile. Added a new Interface ConcurrentPolicy and set up the QA tests to execute with a SecurityManager from startup, this required adding some additional permission grants to some policy files.
Tidy up some corner cases with URLGrant and DelegateCombinerSecurityManager, setting context classloader for Executor threads, and avoiding circular permission checks, so all tests now pass.
Added a background garbage cleaning Executor to ReferenceProcessor.
Added:
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties (with props)
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java (with props)
Removed:
river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/se/
Modified:
river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy
river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy
river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java
river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java
river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrant.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PrincipalGrant.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyScanner.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/Messages.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/PolicyUtils.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/RC.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceCollection.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceIterator.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceList.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceMap.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceProcessor.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferenceSet.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/util/ReferencedQueue.java
river/jtsk/skunk/peterConcurrentPolicy/test/src/net/jini/security/DynamicPermissionCollectionTest.java
river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/security/policy/util/DefaultPolicyParserTest.java
river/jtsk/skunk/peterConcurrentPolicy/test/src/org/apache/river/impl/util/ReferenceCollectionTest.java
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaultsharedvm.policy Mon Jan 9 13:12:52 2012
@@ -18,6 +18,12 @@ grant codebase "file:${com.sun.jini.jsk.
permission java.security.AllPermission "", "";
};
+grant {
+ permission com.sun.jini.phoenix.ExecOptionPermission "*";
+ // for a start test
+ permission com.sun.jini.phoenix.ExecPermission "/bin/javax";
+};
+
grant principal javax.security.auth.x500.X500Principal "CN=Phoenix"
{
permission com.sun.jini.phoenix.InstantiatorPermission "*";
@@ -28,7 +34,7 @@ grant principal javax.security.auth.kerb
permission com.sun.jini.phoenix.InstantiatorPermission "*";
};
-grant codebase "file:${com.sun.jini.qa.home}${/}lib{/}harness-killer.jar" {
+grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}harness-killer.jar" {
permission com.sun.jini.start.SharedActivationPolicyPermission "jar:file:${com.sun.jini.qa.harness.harnessJar}!/harness/policy/all.policy";
permission com.sun.jini.start.SharedActivationPolicyPermission "jar:file:${com.sun.jini.qa.harness.harnessJar}!/harness/policy/policy.all";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/harness/policy/defaulttest.policy Mon Jan 9 13:12:52 2012
@@ -74,9 +74,20 @@ grant {
// needed by some io tests
grant {
- permission java.lang.AllPermission "", "";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "setFactory";
permission java.net.SocketPermission "*:1024-", "connect,accept";
permission java.util.PropertyPermission "com.sun.jini.qa.spec.io.util.FakeIntegrityVerifier.throwException", "write";
};
+
+// needed when using a SecurityManager from command line
+
+grant {
+ permission java.io.FilePermission "-", "read";
+};
+
+grant {
+ permission com.sun.jini.phoenix.ExecOptionPermission "*";
+ // for a start test
+ permission com.sun.jini.phoenix.ExecPermission "/bin/javax";
+};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java Mon Jan 9 13:12:52 2012
@@ -29,12 +29,16 @@ import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.List;
import java.util.StringTokenizer;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
+import net.jini.security.ConcurrentPermissions;
+import net.jini.security.policy.ConcurrentPolicy;
import net.jini.security.policy.PolicyInitializationException;
import net.jini.security.policy.PolicyFileProvider;
+import org.apache.river.api.security.PermissionGrant;
/**
* Security policy provider that delegates to a collection of underlying
@@ -44,11 +48,11 @@ import net.jini.security.policy.PolicyFi
* access to the same file, a check for read,write access would still
* fail.
*/
-public class MergedPolicyProvider extends Policy {
+public class MergedPolicyProvider extends Policy implements ConcurrentPolicy{
/** class state */
- private static final Lock lock = new ReentrantLock();; // protects first
- private static boolean first = false; // Why is first static?
+// private static final Lock lock = new ReentrantLock();; // protects first
+// private static boolean first = false; // Why is first static?
/** the collection of underlying policies */
private final Collection<Policy> policies ;
@@ -111,25 +115,37 @@ public class MergedPolicyProvider extend
* @param source the <code>CodeSource</code>
*/
public PermissionCollection getPermissions(CodeSource source) {
- Iterator it = policies.iterator();
- if (it.hasNext()) {
- PermissionCollection pc =
- ((Policy) it.next()).getPermissions(source);
- while (it.hasNext()) {
- PermissionCollection pc2 =
- ((Policy) it.next()).getPermissions(source);
- Enumeration en = pc2.elements();
- while (en.hasMoreElements()) {
- Permission perm = (Permission) en.nextElement();
- if (!pc.implies(perm)) {
- pc.add(perm);
- }
- }
- }
- return pc;
- } else {
- throw new IllegalStateException("No policies in provider");
- }
+ if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+ PermissionCollection pc = new ConcurrentPermissions();
+ Iterator<Policy> it = policies.iterator();
+ while (it.hasNext()){
+ Policy policy = it.next();
+ PermissionCollection col = policy.getPermissions(source);
+ Enumeration<Permission> e = col.elements();
+ while(e.hasMoreElements()){
+ pc.add(e.nextElement());
+ }
+ }
+ return pc;
+// Iterator it = policies.iterator();
+// if (it.hasNext()) {
+// PermissionCollection pc =
+// ((Policy) it.next()).getPermissions(source);
+// while (it.hasNext()) {
+// PermissionCollection pc2 =
+// ((Policy) it.next()).getPermissions(source);
+// Enumeration en = pc2.elements();
+// while (en.hasMoreElements()) {
+// Permission perm = (Permission) en.nextElement();
+// if (!pc.implies(perm)) {
+// pc.add(perm);
+// }
+// }
+// }
+// return pc;
+// } else {
+// throw new IllegalStateException("No policies in provider");
+// }
}
/**
@@ -139,60 +155,76 @@ public class MergedPolicyProvider extend
*
* @param domain the <code>ProtectionDomain</code>
*/
+// public PermissionCollection getPermissions(ProtectionDomain domain) {
+// Iterator it = policies.iterator();
+// ArrayList list = new ArrayList(64);
+// boolean first = false;
+//// lock.lock();
+//// try {
+// if (it.hasNext()) {
+// PermissionCollection pc =
+// ((Policy) it.next()).getPermissions(domain);
+// if (first) {
+// first = false;
+// Enumeration en = pc.elements();
+// list.add("BASE PERMISSIONS for domain " + domain);
+// while (en.hasMoreElements()) {
+// Permission perm = (Permission) en.nextElement();
+// list.add(perm.toString());
+// }
+// first = true;
+// }
+// while (it.hasNext()) {
+// PermissionCollection pc2 =
+// ((Policy) it.next()).getPermissions(domain);
+// Enumeration en = pc2.elements();
+// while (en.hasMoreElements()) {
+// Permission perm = (Permission) en.nextElement();
+// if (!pc.implies(perm)) {
+// if (first) {
+// first = false;
+// list.add("checking " + perm + " and adding");
+// first = true;
+// }
+// pc.add(perm);
+// } else {
+// if (first) {
+// first = false;
+// list.add("checking " + perm + " and not adding");
+// first = true;
+// }
+// }
+// }
+// }
+// if (first) {
+// first = false;
+// for (int i = 0; i < list.size(); i++) {
+// System.out.println((String) list.get(i));
+// }
+// first = true;
+// }
+// return pc;
+// } else {
+// throw new IllegalStateException("No policies in provider");
+// }
+//// }finally{
+//// lock.unlock();
+//// }
+// }
+
public PermissionCollection getPermissions(ProtectionDomain domain) {
- Iterator it = policies.iterator();
- ArrayList list = new ArrayList(64);
- lock.lock();
- try {
- if (it.hasNext()) {
- PermissionCollection pc =
- ((Policy) it.next()).getPermissions(domain);
- if (first) {
- first = false;
- Enumeration en = pc.elements();
- list.add("BASE PERMISSIONS for domain " + domain);
- while (en.hasMoreElements()) {
- Permission perm = (Permission) en.nextElement();
- list.add(perm.toString());
- }
- first = true;
- }
- while (it.hasNext()) {
- PermissionCollection pc2 =
- ((Policy) it.next()).getPermissions(domain);
- Enumeration en = pc2.elements();
- while (en.hasMoreElements()) {
- Permission perm = (Permission) en.nextElement();
- if (!pc.implies(perm)) {
- if (first) {
- first = false;
- list.add("checking " + perm + " and adding");
- first = true;
- }
- pc.add(perm);
- } else {
- if (first) {
- first = false;
- list.add("checking " + perm + " and not adding");
- first = true;
- }
- }
- }
- }
- if (first) {
- first = false;
- for (int i = 0; i < list.size(); i++) {
- System.out.println((String) list.get(i));
- }
- first = true;
- }
- return pc;
- } else {
- throw new IllegalStateException("No policies in provider");
+ if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+ PermissionCollection pc = new ConcurrentPermissions();
+ Iterator<Policy> it = policies.iterator();
+ while (it.hasNext()){
+ Policy policy = it.next();
+ PermissionCollection col = policy.getPermissions(domain);
+ Enumeration<Permission> e = col.elements();
+ while(e.hasMoreElements()){
+ pc.add(e.nextElement());
}
- }finally{
- lock.unlock();
}
+ return pc;
}
/**
@@ -227,4 +259,71 @@ public class MergedPolicyProvider extend
p.refresh();
}
}
+
+ @Override
+ public boolean isConcurrent() {
+ if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+ Iterator<Policy> it = policies.iterator();
+ while (it.hasNext()){
+ Policy p = it.next();
+ if (p instanceof ConcurrentPolicy){
+ if (!((ConcurrentPolicy)p).isConcurrent()) return false;
+ } else {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ public PermissionGrant[] getPermissionGrants(ProtectionDomain domain) {
+ if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+ List<PermissionGrant[]> perms = new ArrayList<PermissionGrant[]>(policies.size());
+ Iterator<Policy> it = policies.iterator();
+ int arrayLength = 0;
+ while (it.hasNext()){
+ Policy p = it.next();
+ if (p instanceof ConcurrentPolicy){
+ PermissionGrant [] g = ((ConcurrentPolicy)p).getPermissionGrants(domain);
+ arrayLength = arrayLength + g.length;
+ perms.add(g);
+ }
+ }
+ PermissionGrant [] result = new PermissionGrant[arrayLength];
+ int index = 0;
+ Iterator<PermissionGrant[]> grants = perms.iterator();
+ while (grants.hasNext()){
+ PermissionGrant [] g = grants.next();
+ int l = g.length;
+ for (int i = 0; i < l; i++, index++){
+ result[index] = g[i];
+ }
+ }
+ return result;
+ }
+
+ public PermissionGrant[] getPermissionGrants() {
+ if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+ List<PermissionGrant[]> perms = new ArrayList<PermissionGrant[]>(policies.size());
+ Iterator<Policy> it = policies.iterator();
+ int arrayLength = 0;
+ while (it.hasNext()){
+ Policy p = it.next();
+ if (p instanceof ConcurrentPolicy){
+ PermissionGrant [] g = ((ConcurrentPolicy)p).getPermissionGrants();
+ arrayLength = arrayLength + g.length;
+ perms.add(g);
+ }
+ }
+ PermissionGrant [] result = new PermissionGrant[arrayLength];
+ int index = 0;
+ Iterator<PermissionGrant[]> grants = perms.iterator();
+ while (grants.hasNext()){
+ PermissionGrant [] g = grants.next();
+ int l = g.length;
+ for (int i = 0; i < l; i++, index++){
+ result[index] = g[i];
+ }
+ }
+ return result;
+ }
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/qa/resources/qaDefaults.properties Mon Jan 9 13:12:52 2012
@@ -210,10 +210,11 @@ com.sun.jini.qa.harness.actdeathdelay=5
# system property if that property is defined. The '-OD' marker flags this
# property as optional. If the property is not defined as a system property
# or in any configuration file, then the property will not be set on the VM.
-#
+#
# You might find the following debugging options useful
# -Djava.security.debug=access:failure,\
# -Djava.security.manager=com.sun.jini.tool.ProfilingSecurityManager,\
+# -Djava.security.manager=org.apache.river.api.security.DelegateCombinerSecurityManager,\
# -Dpolicy.provider=net.jini.security.policy.DynamicPolicyProvider,\
# -Djava.security.manager=java.rmi.RMISecurityManager,\
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SecurityTest.td Mon Jan 9 13:12:52 2012
@@ -3,7 +3,10 @@ testCategories=start,start_impl
#testClasspath=${com.sun.jini.qa.home}$/lib$/harness.jar$:${com.sun.jini.qa.home}$/lib$/qa1-start-tests.jar$:${com.sun.jini.qa.home}$/lib$/$qajinidep$:${com.sun.jini.jsk.home}$/lib$/jsk-platform.jar
testClasspath=<harnessJar>$:<file:lib/qa1-start-tests.jar>$:${com.sun.jini.jsk.home}$/lib$/jsk-platform.jar$:${com.sun.jini.jsk.home}$/lib$/jsk-lib.jar
-
+#testjvmargs=\
+#-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
/*******************************************************************************
* Test-specific property files
@@ -15,7 +18,8 @@ com.sun.jini.test.impl.start.SecurityTes
com.sun.jini.test.impl.start.SecurityTest1.codebase=http://${HOST}:${com.sun.jini.test.port}/qa1-start-testservice1-dl.jar
com.sun.jini.test.impl.start.SecurityTest1.policyfile=<url:securityTest.testservice1.policy>
com.sun.jini.test.impl.start.SecurityTest1.log=none
-com.sun.jini.test.impl.start.SecurityTest1.serverjvmargs=
+com.sun.jini.test.impl.start.SecurityTest1.serverjvmargs=-Dnet.jini.security.policy.PolicyFileProvider.basePolicyClass=sun.security.provider.PolicyFile,\
+-Dnet.jini.security.policy.DynamicPolicyProvider.basePolicyClass=net.jini.security.policy.PolicyFileProvider
com.sun.jini.test.impl.start.SecurityTest1.serviceConfiguration=<url:configs/<config>/testservice.config>
com.sun.jini.test.impl.start.SecurityTest1.starterConfiguration=<url:configs/<config>/testservice.config>
com.sun.jini.test.impl.start.SecurityTest1.host=master
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/ServiceStarterCreateBadTransientServiceTest.td Mon Jan 9 13:12:52 2012
@@ -1,3 +1,7 @@
testClass=ServiceStarterCreateBadTransientServiceTest
testCategories=start,start_impl
include0=start.properties
+#testjvmargs=\
+#-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
\ No newline at end of file
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/SharedActivationPolicyPermissionActionsTest.td Mon Jan 9 13:12:52 2012
@@ -1,3 +1,7 @@
testClass=SharedActivationPolicyPermissionActionsTest
testCategories=start,start_impl
include0=start.properties
+#testjvmargs=\
+#-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.policy Mon Jan 9 13:12:52 2012
@@ -25,8 +25,14 @@ grant codebase "file:${com.sun.jini.qa.h
permission java.security.AllPermission "", "";
};
-grant codeBase "file:${java.home}/lib/ext/*" {
- permission java.security.AllPermission;
+//grant codeBase "file:${java.home}/lib/ext/*" {
+// permission java.security.AllPermission;
+//};
+
+// For SecurityManager used from command line
+grant codeBase "file:${com.sun.jini.qa.home}${/}lib${/}qa1-start-tests.jar" {
+ permission java.io.FilePermission "-", "read";
+ permission java.lang.RuntimePermission "getProtectionDomain";
};
grant {
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td Mon Jan 9 13:12:52 2012
@@ -9,7 +9,6 @@ restoreContextJarFile=<file:lib/qa1-star
checkContextActionJarFile=<file:lib/qa1-start-cb3.jar>
include0=../start.properties
#testjvmargs=\
-#-Djava.security.debug=access,\
#-Xdebug,\
#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
#${testjvmargs}
\ No newline at end of file
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.0.policy Mon Jan 9 13:12:52 2012
@@ -25,8 +25,15 @@ grant codebase "file:${com.sun.jini.qa.h
permission java.security.AllPermission "", "";
};
-grant codeBase "file:${java.home}/lib/ext/*" {
- permission java.security.AllPermission;
+grant codeBase "file:${{java.ext.dirs}}/*" {
+ permission java.security.AllPermission;
+};
+
+
+// For SecurityManager used from command line
+grant codeBase "file:${com.sun.jini.qa.home}${/}lib${/}qa1-start-tests.jar" {
+ //permission java.io.FilePermission "-", "read";
+ permission java.lang.RuntimePermission "getProtectionDomain";
};
grant {
@@ -39,10 +46,12 @@ grant {
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setSecurityManager";
+ permission java.lang.RuntimePermission "getProtectionDomain";
permission java.util.PropertyPermission
"java.security.policy", "read,write";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setPolicy";
+ permission java.security.SecurityPermission "getPolicy";
permission java.util.PropertyPermission "*", "read";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/resources/jinitest.policy Mon Jan 9 13:12:52 2012
@@ -8,12 +8,19 @@ grant codebase "file:${com.sun.jini.test
};
grant {
- permission java.security.AllPermission "", "";
permission java.util.PropertyPermission "java.system.class.loader", "read";
permission java.io.FilePermission "${com.sun.jini.test.home}${/}lib${/}-", "read";
permission java.util.PropertyPermission "com.sun.jini.reggie.enableImplToStubReplacement", "read";
};
+grant {
+ permission com.sun.jini.phoenix.ExecOptionPermission "*";
+ // for a start test
+ permission com.sun.jini.phoenix.ExecPermission "/bin/javax";
+ permission java.util.PropertyPermission "FILEPOLICY02", "read";
+ permission java.security.SecurityPermission "getPolicy";
+};
+
grant codebase "file:${com.sun.jini.test.home}${/}lib${/}qa1-start-tests.jar" {
permission java.security.AllPermission "", "";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/jeri/transport/resources/ssl.policy Mon Jan 9 13:12:52 2012
@@ -43,6 +43,11 @@ grant principal "server" {
"accept,connect";
};
+grant {
+ permission java.lang.RuntimePermission "setIO";
+ permission java.lang.RuntimePermission "getenv.SOUL";
+};
+
/**
* The following grant is only used during test development when the
* tests do not reside inside qa1.jar
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/GrantNoPrincipalCase01.td Mon Jan 9 13:12:52 2012
@@ -4,3 +4,7 @@ testPolicyfile=policyProviderGrant01.pol
com.sun.jini.qa.harness.runkitserver=false
com.sun.jini.qa.harness.runjiniserver=false
com.sun.jini.qa.harness.securityproperties=<url: ../securityprovider.properties>
+#testjvmargs=\
+#-Xdebug,\
+#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
+#${testjvmargs}
\ No newline at end of file
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/SecurityExceptionConstructorNoAccessClass.td Mon Jan 9 13:12:52 2012
@@ -3,4 +3,5 @@ testCategories=policyprovider,policyprov
testPolicyfile=policyProviderNoAccessClass.policy
com.sun.jini.qa.harness.runkitserver=false
com.sun.jini.qa.harness.runjiniserver=false
-com.sun.jini.qa.harness.securityproperties=<url: ../securityprovider.properties>
\ No newline at end of file
+com.sun.jini.qa.harness.securityproperties=<url: securityexceptionconstructornoaccessclass.properties>
+#com.sun.jini.qa.harness.securityproperties=<url: ../securityprovider.properties>
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/policyProviderGrant01.policy Mon Jan 9 13:12:52 2012
@@ -23,6 +23,10 @@ grant codebase "file:${com.sun.jini.qa.h
//permission java.lang.RuntimePermission "modifyThreadGroup";
};
+grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}jiniharness.jar" {
+ permission java.security.AllPermission "", "";
+};
+
grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}jinitests.jar" {
};
@@ -58,6 +62,7 @@ grant {
permission java.security.SecurityPermission "getDomainCombiner";
permission java.security.SecurityPermission "createAccessControlContext";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+ permission java.util.PropertyPermission "FILEPOLICY02", "read";
};
/*
Added: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties?rev=1229137&view=auto
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties (added)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties Mon Jan 9 13:12:52 2012
@@ -0,0 +1,6 @@
+# Java security properties file which overrides the harness supplied
+# file so that the MergedPolicyProvider is not used, which would interfere
+# with the correct operation of these tests
+# The test only checks for permission to access class in package sun.security.provider
+net.jini.security.policy.DynamicPolicyProvider.basePolicyClass=net.jini.security.policy.PolicyFileProvider
+net.jini.security.policy.PolicyFileProvider.basePolicyClass=sun.security.provider.PolicyFile
\ No newline at end of file
Propchange: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/dynamicPolicyProvider/securityexceptionconstructornoaccessclass.properties
------------------------------------------------------------------------------
svn:eol-style = native
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyProviderGrant01.policy Mon Jan 9 13:12:52 2012
@@ -19,6 +19,10 @@ grant codebase "file:${com.sun.jini.jsk.
permission java.security.AllPermission "", "";
};
+grant codebase "file:${com.sun.jini.qa.home}${/}lib${/}jiniharness.jar" {
+ permission java.security.AllPermission "", "";
+};
+
/* end grants required for SecurityManager during startup. */
grant {
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/AggregatePolicyProvider.java Mon Jan 9 13:12:52 2012
@@ -33,15 +33,18 @@ import java.security.Policy;
import java.security.ProtectionDomain;
import java.security.Security;
import java.security.SecurityPermission;
+import java.util.Map;
+import java.util.WeakHashMap;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReadWriteLock;
-import java.util.concurrent.locks.ReentrantReadWriteLock;
+import java.util.concurrent.locks.ReentrantLock;
import net.jini.security.SecurityContext;
+import net.jini.security.policy.ConcurrentPolicy;
import net.jini.security.policy.DynamicPolicy;
import net.jini.security.policy.PolicyInitializationException;
import net.jini.security.policy.SecurityContextSource;
+import org.apache.river.api.security.PermissionGrant;
import org.apache.river.impl.util.RC;
import org.apache.river.impl.util.Ref;
import org.apache.river.impl.util.Referrer;
@@ -74,7 +77,7 @@ import org.apache.river.impl.util.Referr
* @since 2.0
*/
public class AggregatePolicyProvider
- extends Policy implements DynamicPolicy, SecurityContextSource
+ extends Policy implements DynamicPolicy, SecurityContextSource, ConcurrentPolicy
{
private static final String mainPolicyClassProperty =
"com.sun.jini.start.AggregatePolicyProvider.mainPolicyClass";
@@ -93,21 +96,19 @@ public class AggregatePolicyProvider
}
});
- private final ConcurrentMap<ClassLoader,Policy> subPolicies =
- RC.concurrentMap(
- new ConcurrentHashMap<Referrer<ClassLoader>,Referrer<Policy>>(),
- Ref.WEAK, Ref.STRONG);
+ private final Map<ClassLoader,Policy> subPolicies = new WeakHashMap<ClassLoader,Policy>();// protected by lock
// The cache is used to avoid repeat security checks, the subPolicies map
// cannot be used to cache child ClassLoaders because their policy could
// change if a policy is updated.
private final ConcurrentMap<ClassLoader,Policy> subPolicyChildClassLoaderCache = // put protected by policyRead
RC.concurrentMap( // clear protected by policyWrite
new ConcurrentHashMap<Referrer<ClassLoader>,Referrer<Policy>>(),
- Ref.WEAK, Ref.STRONG);
- private final ReadWriteLock policyUpdate = new ReentrantReadWriteLock();
- private final Lock policyRead = policyUpdate.readLock();
- private final Lock policyWrite = policyUpdate.writeLock();
- private Policy mainPolicy; // protected by policyUpdate
+ Ref.WEAK_IDENTITY, Ref.STRONG);
+// private final ReadWriteLock policyUpdate = new ReentrantReadWriteLock();
+// private final Lock policyRead = policyUpdate.readLock();
+// private final Lock policyWrite = policyUpdate.writeLock();
+ private final Lock lock = new ReentrantLock();
+ private volatile Policy mainPolicy; // protected by policyUpdate
/**
* Creates a new <code>AggregatePolicyProvider</code> instance, containing
@@ -230,6 +231,30 @@ public class AggregatePolicyProvider
public void refresh() {
getCurrentSubPolicy().refresh();
}
+
+ public boolean isConcurrent() {
+ Policy p = getCurrentSubPolicy();
+ if (p instanceof ConcurrentPolicy){
+ return ((ConcurrentPolicy)p).isConcurrent();
+ }
+ return false;
+ }
+
+ public PermissionGrant[] getPermissionGrants(ProtectionDomain domain) {
+ Policy p = getCurrentSubPolicy();
+ if (p instanceof ConcurrentPolicy){
+ return ((ConcurrentPolicy)p).getPermissionGrants(domain);
+ }
+ return new PermissionGrant[0];
+ }
+
+ public PermissionGrant[] getPermissionGrants() {
+ Policy p = getCurrentSubPolicy();
+ if (p instanceof ConcurrentPolicy){
+ return ((ConcurrentPolicy)p).getPermissionGrants();
+ }
+ return new PermissionGrant[0];
+ }
/**
* Changes sub-policy association with given class loader. If
@@ -258,7 +283,7 @@ public class AggregatePolicyProvider
if (sm != null) {
sm.checkPermission(new SecurityPermission("setPolicy"));
}
- policyWrite.lock();
+ lock.lock();
try {
if (loader != null) {
if (subPolicy != null) {
@@ -273,8 +298,9 @@ public class AggregatePolicyProvider
mainPolicy = subPolicy;
}
subPolicyChildClassLoaderCache.clear();
+ subPolicyChildClassLoaderCache.putAll(subPolicies);
} finally {
- policyWrite.unlock();
+ lock.unlock();
}
}
@@ -396,46 +422,39 @@ public class AggregatePolicyProvider
*/
private Policy getCurrentSubPolicy() {
final Thread t = Thread.currentThread();
- if (!trustGetContextClassLoader(t)) {
- policyRead.lock();
- try {
- return mainPolicy;
- }finally{
- policyRead.unlock();
- }
- }
- ClassLoader ccl = getContextClassLoader();
- Policy policy = subPolicies.get(ccl);
- if (policy == null) policy = subPolicyChildClassLoaderCache.get(ccl);
- if (policy == null) policy = lookupSubPolicy(ccl);
- return policy;
-
+ boolean trust = trustGetContextClassLoader(t);
+ ClassLoader ccl = trust ? getContextClassLoader() : null;
+ if ( ccl == null ) return mainPolicy;
+ Policy policy = subPolicyChildClassLoaderCache.get(ccl); // just a cache.
+ if ( policy != null ) return policy;
+ lock.lock();
+ try {
+ policy = lookupSubPolicy(ccl);
+ return policy;
+ }finally{
+ lock.unlock();
+ }
}
/**
* Returns sub-policy associated with the given class loader. This method
- * should only be called when already synchronized on subPolicies.
+ * should only be called when already synchronized on lock.
*/
private Policy lookupSubPolicy(final ClassLoader ldr) {
return AccessController.doPrivileged(
new PrivilegedAction<Policy>() {
public Policy run() {
Policy p = null;
- policyRead.lock();
- try {
- for (ClassLoader l = ldr; l != null; l = l.getParent()) {
- p = subPolicies.get(l);
- if (p != null) break;
- }
- if (p == null) p = mainPolicy;
- Policy exists =
- subPolicyChildClassLoaderCache.putIfAbsent(ldr, p);
- if ( exists != null && p != exists )
- throw new IllegalStateException("Policy Mutation occured");
- return p;
- }finally{
- policyRead.unlock();
+ for (ClassLoader l = ldr; l != null; l = l.getParent()) {
+ p = subPolicies.get(l);
+ if (p != null) break;
}
+ if (p == null) p = mainPolicy;
+ Policy exists =
+ subPolicyChildClassLoaderCache.putIfAbsent(ldr, p);
+ if ( exists != null && p != exists )
+ throw new IllegalStateException("Policy Mutation occured");
+ return p;
}
});
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/LoaderSplitPolicyProvider.java Mon Jan 9 13:12:52 2012
@@ -30,6 +30,14 @@ import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import net.jini.security.policy.ConcurrentPolicy;
+import org.apache.river.api.security.PermissionGrant;
+import org.apache.river.impl.util.RC;
+import org.apache.river.impl.util.Ref;
+import org.apache.river.impl.util.Referrer;
/**
* Security policy provider which handles permission queries and grants by
@@ -51,17 +59,17 @@ import java.security.ProtectionDomain;
public class LoaderSplitPolicyProvider
extends Policy implements DynamicPolicy
{
- private static final ProtectionDomain myDomain = (ProtectionDomain)
- AccessController.doPrivileged(new PrivilegedAction() {
- public Object run() {
- return LoaderSplitPolicyProvider.class.getProtectionDomain();
- }
- });
+ private static final ProtectionDomain myDomain =
+ AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>() {
+ public ProtectionDomain run() {
+ return LoaderSplitPolicyProvider.class.getProtectionDomain();
+ }
+ });
private final ClassLoader loader;
private final Policy loaderPolicy;
private final Policy defaultPolicy;
- private final WeakIdentityMap delegateMap = new WeakIdentityMap();
+ private final ConcurrentMap<ClassLoader,Policy> delegateMap;
/**
* Creates a new <code>LoaderSplitPolicyProvider</code> instance which
@@ -90,6 +98,9 @@ public class LoaderSplitPolicyProvider
this.loader = loader;
this.loaderPolicy = loaderPolicy;
this.defaultPolicy = defaultPolicy;
+ delegateMap = RC.concurrentMap(
+ new ConcurrentHashMap<Referrer<ClassLoader>,Referrer<Policy>>()
+ ,Ref.WEAK_IDENTITY , Ref.STRONG);
ensureDependenciesResolved();
}
@@ -155,7 +166,7 @@ public class LoaderSplitPolicyProvider
loaderPolicy.refresh();
defaultPolicy.refresh();
}
-
+
/**
* Returns <code>true</code> if both of the underlying policy providers
* implement {@link DynamicPolicy} and return <code>true</code> from calls
@@ -241,33 +252,28 @@ public class LoaderSplitPolicyProvider
*/
return loaderPolicy;
}
- Policy p;
- synchronized (delegateMap) {
- p = (Policy) delegateMap.get(ldr);
- }
+ Policy p = delegateMap.get(ldr);
if (p == null) {
- p = (Policy) AccessController.doPrivileged(new PrivilegedAction() {
- public Object run() {
- for (ClassLoader l = ldr; l != null; l = l.getParent())
- {
- if (l == loader) {
- return loaderPolicy;
- }
- }
- return defaultPolicy;
- }
- });
- synchronized (delegateMap) {
- delegateMap.put(ldr, p);
- }
+ p = AccessController.doPrivileged(new PrivilegedAction<Policy>() {
+ public Policy run() {
+ for (ClassLoader l = ldr; l != null; l = l.getParent())
+ {
+ if (l == loader) {
+ return loaderPolicy;
+ }
+ }
+ return defaultPolicy;
+ }
+ });
+ delegateMap.putIfAbsent(ldr, p);
}
return p;
}
private static ClassLoader getClassLoader(final Class cl) {
- return (ClassLoader) AccessController.doPrivileged(
- new PrivilegedAction() {
- public Object run() { return cl.getClassLoader(); }
- });
+ return AccessController.doPrivileged(
+ new PrivilegedAction<ClassLoader>() {
+ public ClassLoader run() { return cl.getClassLoader(); }
+ });
}
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/start/SharedActivationPolicyPermission.java Mon Jan 9 13:12:52 2012
@@ -71,7 +71,7 @@ public final class SharedActivationPolic
* target of the <code>implies()</code> checks.
* @serial
*/
- private /*final*/ FilePermission policyPermission;
+ private final Permission policyPermission;
/**
* Constructor that creates a
@@ -81,7 +81,7 @@ public final class SharedActivationPolic
public SharedActivationPolicyPermission(String policy) {
//TBD - check for null args
super(policy);
- init(policy);
+ policyPermission = init(policy);
}
/**
@@ -94,13 +94,13 @@ public final class SharedActivationPolic
public SharedActivationPolicyPermission(String policy, String action) {
//TBD - check for null args
super(policy);
- init(policy);
+ policyPermission = init(policy);
}
/**
* Contains common code to all constructors.
*/
- private void init(final String policy) {
+ private Permission init(final String policy) {
/*
* In order to leverage the <code>FilePermission</code> logic
* we need to make sure that forward slashes ("/"), in
@@ -110,6 +110,7 @@ public final class SharedActivationPolic
* http://host:port/* matches http://host:port/bogus.jar under
* UNIX, but not under Windows since "\*" is the wildcard there.
*/
+ if (policy == null) throw new NullPointerException("Null policy string not allowed");
String uncanonicalPath = null;
try {
URL url = new URL(policy);
@@ -123,7 +124,7 @@ public final class SharedActivationPolic
uncanonicalPath = policy;
}
- policyPermission = new FilePermission(uncanonicalPath, "read");
+ return new FilePermission(uncanonicalPath, "read");
}
// javadoc inherited from superclass
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicInvocationDispatcher.java Mon Jan 9 13:12:52 2012
@@ -44,6 +44,7 @@ import java.security.AccessControlExcept
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
+import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
@@ -910,7 +911,8 @@ public class BasicInvocationDispatcher i
}
}
});
- if (System.getSecurityManager() == null) {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm == null) {
return;
}
ProtectionDomain pd;
@@ -934,6 +936,11 @@ public class BasicInvocationDispatcher i
}
boolean ok = pd.implies(permission);
// XXX what about logging
+ if (logger.isLoggable(Level.FINE)){
+ Policy p = Policy.getPolicy();
+ logger.log(Level.FINE, "SecurityManager: " + sm + "\nPolicy: " + p +
+ "\nProtectionDomain: " + pd);
+ }
if (!ok) {
throw new AccessControlException("access denied " + permission);
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/ConcurrentPermissions.java Mon Jan 9 13:12:52 2012
@@ -34,6 +34,7 @@ import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
+import java.util.Vector;
import java.util.concurrent.ConcurrentHashMap;
@@ -102,7 +103,11 @@ implements Serializable {
throw new SecurityException("attempt to add a Permission to a readonly Permissions object");
}
if (allPermission == true) return; // Why bother adding another permission?
- if (permission instanceof AllPermission) {allPermission = true;}
+ if (permission instanceof AllPermission) {
+ allPermission = true;
+ permsMap.clear();
+ unresolved.clear();
+ }
if (permission instanceof UnresolvedPermission) {
unresolved.add(new PermissionPendingResolution((UnresolvedPermission)permission));
}
@@ -162,6 +167,11 @@ implements Serializable {
*/
@Override
public Enumeration<Permission> elements() {
+ if (allPermission == true){
+ Vector<Permission> a = new Vector<Permission>(1);
+ a.add(0, new AllPermission());
+ return a.elements();
+ }
ArrayList<PermissionCollection> elem =
new ArrayList<PermissionCollection>(permsMap.size()
+ unresolved.awaitingResolution() + 2);
@@ -214,8 +224,6 @@ implements Serializable {
PermissionCollection pc = epc.next();
/* We only take what we need, as we need it, minimising memory use.
* Each underlying PermissionCollection adds its own Enumeration.
- * MultiReadPermissionCollection caches the elements so we
- * are protected from ConcurrentModificationException's
*/
if ( pc instanceof PermissionPendingResolutionCollection ){
Set<Permission> permissionSet = new HashSet<Permission>();
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/DynamicPermissionCollection.java Mon Jan 9 13:12:52 2012
@@ -31,6 +31,7 @@ import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Enumeration;
+import java.util.TreeSet;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.river.impl.util.CollectionsConcurrent;
@@ -38,7 +39,8 @@ import org.apache.river.impl.util.Collec
/**
* This homogenous PermissionCollection is designed to overcome some shortfalls with existing
* PermissionCollection's that block for potentially long durations
- * on implies(), like SocketPermissionCollection.
+ * on implies(), like SocketPermissionCollection, provided that there new
+ * Permission objects are not added, as this may cause delayed blocking.
*
* @author peter
*/
@@ -55,7 +57,8 @@ final class DynamicPermissionCollection
private volatile boolean noPC;
DynamicPermissionCollection(Comparator<Permission> c, Class cl){
- perms = CollectionsConcurrent.multiReadCollection(new ArrayList<Permission>());
+ perms = CollectionsConcurrent.multiReadCollection(
+ new TreeSet<Permission>(new PermissionComparator()) );
this.cl = cl;
comp = c;
lock = new ReentrantLock();
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java Mon Jan 9 13:12:52 2012
@@ -1,51 +1,149 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package net.jini.security;
import java.io.Serializable;
import java.security.Permission;
+import java.security.UnresolvedPermission;
+import java.security.cert.Certificate;
+import java.util.Arrays;
import java.util.Comparator;
/**
- * A Comparator for Set's of permissions that avoids using equals and hashCode()
+ * A Comparator for Permission that avoids using equals and hashCode() on
+ * Permission implementations.
+ *
+ * This comparator orders the Permission first by Class, then Name, followed
+ * by Actions.
+ *
+ * Class is sorted by class hashcode.
+ *
+ * Name is sorted using Unicode character order, so wildcards "*" and
+ * characters will preceed numbers, which will preceed letters.
+ *
+ * The comparator must be as fast as possible, the common case is not equal,
+ * so that must be very fast.
+ *
+ * Note that for SocketPermissionCollection that the desired order to add to
+ * SocketPermission's is in , with the most likely permissions added last.
+ *
+ * HINT: Use a NavigableMap to return a reverse order iterator for
+ * PermissionCollection's like SocketPermissionCollection and
+ * FilePermissionCollection.
*
* @author Peter Firmstone.
*/
public class PermissionComparator implements Comparator<Permission>, Serializable {
private static final long serialVersionUID = 1L;
+ private static final char wildcard = "*".charAt(0);
public int compare(Permission o1, Permission o2) {
if (o1 == o2) return 0;
+
+ if ( o1 == null ){
+ if (o2 == null) return 0;
+ return -1; // o1 is less
+ }
+ if ( o2 == null ) return 1; // o1 is greater
+
+ int hash1, hash2, comparison;
+ // Permission not equal if Class hashCode not equal.
Class c1 = o1.getClass();
- String name1 = o1.getName();
- String actions1 = o1.getActions();
Class c2 = o2.getClass();
- String name2 = o2.getName();
- String actions2 = o2.getActions();
- int hash1 = hashCode(c1, name1, actions1);
- int hash2 = hashCode(c2, name2, actions2);
+ hash1 = c1.hashCode();
+ hash2 = c2.hashCode();
if (hash1 < hash2) return -1;
if (hash1 > hash2) return 1;
- // Identical hash codes
- int comp = -1;
- if (c1.equals(c2) ){
- comp = name1.compareTo(name2);
- if ( comp == 0 ) {
- return actions1.compareTo(actions2);
+ //hashcodes equal.
+ if (o1 instanceof UnresolvedPermission && o2 instanceof UnresolvedPermission){
+ // Special case
+ UnresolvedPermission u1 = (UnresolvedPermission) o1, u2 = (UnresolvedPermission) o2;
+ String type1 = u1.getUnresolvedType(), type2 = u2.getUnresolvedType();
+ if ( type1 == null ){
+ if (type2 == null) return 0;
+ return -1; // o1 is less
+ }
+ if ( type2 == null ) return 1; // o1 is greater
+ comparison = type1.compareTo(type2);
+ if ( comparison != 0 ) return comparison;
+ // types equal.
+ String name1 = u1.getUnresolvedName(), name2 = u2.getUnresolvedName();
+ if ( name1 == null ){
+ if (name2 == null) return 0;
+ return -1; // o1 is less
+ }
+ if ( name2 == null ) return 1; // o1 is greater
+ comparison = name1.compareTo(name2);
+ if ( comparison != 0 ) return comparison;
+ // names equal.
+ String action1 = u1.getUnresolvedName(), action2 = u2.getUnresolvedName();
+ if ( action1 == null ){
+ if (action2 == null) return 0;
+ return -1; // o1 is less
+ }
+ if ( action2 == null ) return 1; // o1 is greater
+ comparison = action1.compareTo(action2);
+ if ( comparison != 0 ) return comparison;
+ // actions equal.
+ Certificate[] cert1 = u1.getUnresolvedCerts(), cert2 = u2.getUnresolvedCerts();
+ if ( cert1 == null ){
+ if (cert2 == null) return 0;
+ return -1; // o1 is less
}
- return comp;
+ if ( cert2 == null ) return 1; // o1 is greater
+ int l1 = cert1.length, l2 = cert2.length;
+ if (l1 < l2 ) return -1;
+ if (l1 > l2 ) return 1;
+ // Same length cert arrays.
+ if (Arrays.asList(cert1).containsAll(Arrays.asList(cert2))) return 0;
+ // compare each until they don't match don't be fussy they're not equal
+ // but they're the same length.
+ for (int i = 0; i < l1; i++){
+ int c = cert1[i].toString().compareTo(cert2[i].toString());
+ if (c != 0) return c;
+ }
+ return -1;
}
- // If we get here, class is not equal.
- comp = c1.toString().compareTo(c2.toString());
- if (comp == 0 ) return -1; // should never happen.
- return comp;
- }
-
- private int hashCode(Class cl, String name, String actions) {
- int hash = 3;
- hash = 67 * hash + cl.hashCode();
- hash = 67 * hash + name.hashCode();
- hash = 67 * hash + actions.hashCode();
- return hash;
+ String name1 = o1.getName();
+ String name2 = o2.getName();
+ if ( name1 == null ){
+ if (name2 == null) return 0;
+ return -1; // o1 is less
+ }
+ if ( name2 == null ) return 1; // o1 is greater
+ comparison = name1.compareTo(name2);
+ if ( comparison != 0 ) return comparison;
+ // names equal.
+ String actions1 = o1.getActions();
+ String actions2 = o2.getActions();
+ if ( actions1 == null ){
+ if (actions2 == null) return 0;
+ return -1; // o1 is less
+ }
+ if ( actions2 == null ) return 1; // o1 is greater
+ comparison = actions1.compareTo(actions2);
+ if ( comparison != 0 ) return comparison;
+ // actions equal.
+ // Now we must be careful that these Permission's are truly equal.
+ // Check they have same class
+ if ( c1.equals(c2)) return 0;
+ // if we get to here, someone might be trying to substitute
+ return -1;
}
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java?rev=1229137&r1=1229136&r2=1229137&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionPendingResolutionCollection.java Mon Jan 9 13:12:52 2012
@@ -48,6 +48,11 @@ class PermissionPendingResolutionCollect
public int awaitingResolution(){
return pending.get();
}
+
+ void clear(){
+ klasses.clear();
+ pending.set(0);
+ }
public void add(Permission permission) {
Added: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java?rev=1229137&view=auto
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java (added)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java Mon Jan 9 13:12:52 2012
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jini.security.policy;
+
+import java.security.CodeSource;
+import java.security.ProtectionDomain;
+import org.apache.river.api.security.PermissionGrant;
+
+/**
+ *
+ * @author peter
+ */
+public interface ConcurrentPolicy {
+
+ public boolean isConcurrent();
+
+ /**
+ * Returns a new array containing immutable PermissionGrant's, the array
+ * returned is not shared.
+ *
+ * Only those PermissionGrant's that imply the domain will be returned.
+ *
+ * This allows the top level policy to gather all PermissionGrant's,
+ * retrieve all relevant permissions, then sort them using PermissionComparator
+ * or any other Comparator, so Permission's are added to a PermissionCollection
+ * in the most efficient order.
+ *
+ * @param domain
+ * @return PermissionGrant []
+ */
+ public PermissionGrant[] getPermissionGrants(ProtectionDomain domain);
+
+ /**
+ * Retrieves all PermissionGrant's from the underlying policy.
+ * @return
+ */
+ public PermissionGrant[] getPermissionGrants();
+}
Propchange: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicy.java
------------------------------------------------------------------------------
svn:eol-style = native