net.jini.security.proxytrust

Class ProxyTrustVerifier

java.lang.Object

net.jini.security.proxytrust.ProxyTrustVerifier

All Implemented Interfaces:

TrustVerifier

public class ProxyTrustVerifier
extends Object
implements TrustVerifier

Trust verifier for service proxies that use dynamically downloaded code. This verifier uses a recursive algorithm to obtain one or more bootstrap proxies, which must be objects that are instances of both ProxyTrust and RemoteMethodControl. If a bootstrap proxy (or a derivative of it) is known to be trusted, a remote call is made through it to obtain a trust verifier for the original service proxy. This class is intended to be specified in a resource to configure the operation of Security.verifyObjectTrust.

Since:

2.0

Author:

Sun Microsystems, Inc.

Implementation Specifics:

This implementation uses the Logger named net.jini.security.trust to log information at the following levels:

Level	Description
FAILED	no verifier is obtained from a ProxyTrustIterator
HANDLED	RemoteException being passed to ProxyTrustIterator.setException
FINE	ProxyTrust.getProxyVerifier remote call returns a trust verifier
FINER	an object with a getProxyTrustIterator method is encountered
FINER	each object produced by a ProxyTrustIterator and each derivative bootstrap proxy

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private static class	ProxyTrustVerifier.MOStream Marshal output stream that looks for a class with a given codebase but in a different class loader than the one we have.

Nested classes/interfaces inherited from interface net.jini.security.TrustVerifier

TrustVerifier.Context

Field Summary

Fields

Modifier and Type	Field and Description
private static Method	gpvMethod ProxyTrust.getProxyVerifier
private static Logger	logger
private static ThreadLocal	state Thread-local state containing object to skip, if any

Constructor Summary

Constructors

Constructor and Description
ProxyTrustVerifier() Creates an instance.

Method Summary

Modifier and Type	Method and Description
private static TrustVerifier	getAltVerifier(Object obj, TrustVerifier.Context ctx, MethodConstraints mc) Takes a bootstrap proxy that doesn't have an iterator method and whose invocation handler doesn't have an iterator method.
private static Method	getMethod(Object obj) Returns getProxyTrustIterator method of object if it has a proper one.
private static TrustVerifier	getVerifier(Object obj, TrustVerifier.Context ctx, MethodConstraints mc, UntrustedObjectSecurityContext uosc) Recursively tries to obtain a verifier from the remote server.
private static boolean	isTrusted(Object obj, TrustVerifier.Context ctx) Returns result of calling ctx.isTrustedObject(obj) with thread-local state set to obj.
boolean	isTrustedObject(Object obj, TrustVerifier.Context ctx) Returns true if the specified object is known to be trusted to correctly implement its contract; returns false otherwise.
private static boolean	restrictedHasNext(ProxyTrustIterator iter, SecurityContext rsc) Calls iter.hasNext() in context of acc.
private static Object	restrictedInvoke(Method m, Object obj, SecurityContext rsc) Calls m.invoke(obj, null) in context of rsc.
private static Object	restrictedNext(ProxyTrustIterator iter, SecurityContext rsc) Calls iter.next() in context of rsc.
private static void	restrictedSetException(ProxyTrustIterator iter, RemoteException e, SecurityContext rsc) Calls iter.setException(e) in context of rsc.
private static boolean	samePackage(Class c1, Class c2) Returns true if the classes are in the same package, false otherwise.
private static boolean	usable(Method m, Class c, Class base) Returns true if the method returns ProxyTrustIterator, has no declared exceptions, and is a non-static member of the base class.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final Logger logger

state

private static final ThreadLocal state

Thread-local state containing object to skip, if any

gpvMethod

private static Method gpvMethod

ProxyTrust.getProxyVerifier

Constructor Detail

ProxyTrustVerifier

public ProxyTrustVerifier()

Creates an instance.

Method Detail

isTrustedObject

public boolean isTrustedObject(Object obj,
                               TrustVerifier.Context ctx)
                        throws RemoteException

Returns true if the specified object is known to be trusted to correctly implement its contract; returns false otherwise.

This method returns false if the caller context collection of the specified trust verifier context does not contain a MethodConstraints instance with non-empty constraints for the ProxyTrust.getProxyVerifier method, or if a TrustVerifier cannot be obtained from the specified object using the steps described below. Otherwise a TrustVerifier is obtained, its isTrustedObject method is called with the same arguments passed to this method, and the result of that call is returned by this method; any exception thrown by that call is thrown by this method. If a verifier cannot be obtained but one or more of the intermediate operations involved in attempting to obtain one throws a RemoteException, the last such RemoteException is thrown by this method (rather than this method returning false). If any intermediate operation throws a SecurityException exception, that exception is immediately thrown by this method.

A verifier is obtained from a candidate object as follows.

• If either the candidate object's class has a non-static member method with signature:

  ProxyTrustIterator getProxyTrustIterator();

  or the candidate object is an instance of a dynamically generated Proxy class and the contained invocation handler's class has such a member method, then the getProxyTrustIterator method is called (on the candidate object or its invocation handler). For each object produced by the next method of the returned iterator, the following substeps are used, until either a verifier is obtained or the iteration terminates. If no verifier can be obtained from any object produced by the iterator, then there is no verifier for the candidate object. For any given object produced by the iterator, if a verifier cannot be obtained from the object but an intermediate operation involved in attempting to obtain a verifier throws a RemoteException, that exception is passed to the setException method of the iterator, and the iteration continues.

  The getProxyTrustIterator method and the ProxyTrustIterator methods are all invoked in a restricted security context. If the specified trust verifier context contains an UntrustedObjectSecurityContext instance, then the security context returned by its getContext method is used. Otherwise, the security context used is equivalent to the current security context (as returned by Security.getContext) with an additional protection domain combined into the access control context that contains an empty CodeSource (null location and certificates), null permissions, null class loader, and null principals.

  • If the object is an instance of both ProxyTrust and RemoteMethodControl (that is, if the object is a bootstrap proxy), it is verified for trust by calling the specified context's isTrustedObject method with the object. If isTrustedObject returns true, then the object's getProxyVerifier method is called, using as the client constraints for the remote call the first MethodConstraints instance obtained from the caller context collection (of the specified trust verifier context) that has non-empty constraints for that getProxyVerifier method. The verifier returned by that remote call is the verifier for the original top-level object, and the entire search stops. If isTrustedObject returns false, but a verifier can be obtained from a trusted derivative bootstrap proxy as described below, then that verifier is the verifier for the original top-level object, and the entire search stops. Otherwise, no verifier can be obtained from the object, and the iteration continues.
  • If the object is not a ProxyTrust instance, it is in turn treated as a new candidate object, and the complete set of steps for a candidate object are used recursively to obtain a verifier from it. If a verifier can be obtained from it, that verifier is the verifier for the original top-level object, and the entire search stops. If a verifier cannot be obtained from it, the iteration continues.
• If the candidate object is the original top-level object and it is an instance of both ProxyTrust and RemoteMethodControl (that is, if the original top-level object is itself a bootstrap proxy), and a verifier can be obtained from a trusted derivative bootstrap proxy as described below, that verifier is the verifier for the original top-level object, and the entire search stops.

Given a bootstrap proxy, a verifier can be obtained from a trusted derivative bootstrap proxy as follows. A derivative can be produced from the bootstrap proxy if all of the following conditions are satisfied: the bootstrap proxy was not itself produced (either from an iteration or as a derivative) by the latest active invocation of ProxyTrustVerifier (not including the current one) in this thread; the bootstrap proxy is an instance of a dynamically generated Proxy class; neither the proxy's class nor the invocation handler's class has an appropriate getProxyTrustIterator method; the class loader of the proxy's class is the proper Java(TM) RMI class loader (as defined below) for its parent class loader and the class's codebase (as produced by RMIClassLoader.getClassAnnotation); and both ProxyTrust and RemoteMethodControl are loadable by the parent class loader. The derivative that is produced is an instance of a dynamically generated Proxy class defined by the parent class loader that implements both ProxyTrust and RemoteMethodControl and contains the same invocation handler as the bootstrap proxy. The derivative is a trusted derivative bootstrap proxy if calling the specified context's isTrustedObject method with the derivative returns true. If a trusted derivative bootstrap proxy can be produced, its getProxyVerifier method is called, using as the client constraints for the remote call the first MethodConstraints instance obtained from the caller context collection (of the specified trust verifier context) that has non-empty constraints for that getProxyVerifier method. The returned verifier is used as is, if the class loader of the returned verifier's class is equal to the class loader of the original bootstrap proxy's class, or if, in generating a serialization of the verifier, no class passed to ObjectOutputStream.annotateClass or ObjectOutputStream.annotateProxyClass has a class loader not equal to the class loader of the original bootstrap proxy's class but has a codebase that is equal to the codebase of the original bootstrap proxy's class. Otherwise, the verifier is remarshalled in a manner equivalent to creating a MarshalledInstance with the verifier and then calling the get method of that object with the class loader of the original bootstrap proxy's class as the default loader, with no codebase integrity verification and with an empty context collection, and the remarshalled verifier is used instead. If an IOException or ClassNotFoundException is thrown by this remarshalling, the exception is wrapped in an UnmarshalException and the resulting exception is treated as if it had been thrown by the remote call that returned the verifier.

A class loader of a class is the proper Java RMI class loader for its parent class loader and the class's codebase if the class loader is not null, the codebase for the class is a non-empty string, and calling RMIClassLoader.getClassLoader with that codebase, with the thread's context class loader set to the parent class loader, returns the class loader of the class.

Specified by:

isTrustedObject in interface TrustVerifier

Parameters:

obj - the object in which to verify trust

ctx - the trust verifier context, to aid in verification of the specified object and its components

Returns:

true if the specified object is known to be trusted to correctly implement its contract; false otherwise

Throws:

NullPointerException - if any argument is null

SecurityException - if a security exception occurs

RemoteException - if a communication-related exception occurs

getVerifier

private static TrustVerifier getVerifier(Object obj,
                                         TrustVerifier.Context ctx,
                                         MethodConstraints mc,
                                         UntrustedObjectSecurityContext uosc)
                                  throws RemoteException

Recursively tries to obtain a verifier from the remote server.

Throws:

RemoteException

restrictedInvoke

private static Object restrictedInvoke(Method m,
                                       Object obj,
                                       SecurityContext rsc)
                                throws IllegalAccessException,
                                       InvocationTargetException

Calls m.invoke(obj, null) in context of rsc.

Throws:

IllegalAccessException

InvocationTargetException

restrictedHasNext

private static boolean restrictedHasNext(ProxyTrustIterator iter,
                                         SecurityContext rsc)

Calls iter.hasNext() in context of acc.

restrictedNext

private static Object restrictedNext(ProxyTrustIterator iter,
                                     SecurityContext rsc)
                              throws RemoteException

Calls iter.next() in context of rsc.

Throws:

RemoteException

restrictedSetException

private static void restrictedSetException(ProxyTrustIterator iter,
                                           RemoteException e,
                                           SecurityContext rsc)

Calls iter.setException(e) in context of rsc.

isTrusted

private static boolean isTrusted(Object obj,
                                 TrustVerifier.Context ctx)
                          throws RemoteException

Returns result of calling ctx.isTrustedObject(obj) with thread-local state set to obj.

Throws:

RemoteException

getAltVerifier

private static TrustVerifier getAltVerifier(Object obj,
                                            TrustVerifier.Context ctx,
                                            MethodConstraints mc)
                                     throws RemoteException

Takes a bootstrap proxy that doesn't have an iterator method and whose invocation handler doesn't have an iterator method. If its class loader is a proper RMI child of its parent, creates a new bootstrap proxy in the parent, and if it's trusted, makes remote call to get verifier, and then conditionally remarshals the verifier. Remarshals if the verifier's class loader is not the original bootstrap proxy's class loader, but the reserialized form of the verifier contains a descriptor for a class with the same codebase as but different class loader than the original bootstrap proxy.

Throws:

RemoteException

getMethod

private static Method getMethod(Object obj)

Returns getProxyTrustIterator method of object if it has a proper one.

usable

private static boolean usable(Method m,
                              Class c,
                              Class base)

Returns true if the method returns ProxyTrustIterator, has no declared exceptions, and is a non-static member of the base class.

samePackage

private static boolean samePackage(Class c1,
                                   Class c2)

Returns true if the classes are in the same package, false otherwise.