Author: peter_firmstone Date: Sat Dec 24 11:38:28 2011 New Revision: 1222962
URL: http://svn.apache.org/viewvc?rev=1222962&view=rev Log: River-323 URIGrant replaces CodeSourceGrant functionality to avoid DNS lookup. Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td Sat Dec 24 11:38:28 2011 @@ -8,3 +8,6 @@ getContextJarFile=<file:lib/qa1-start-cb restoreContextJarFile=<file:lib/qa1-start-cb2.jar> checkContextActionJarFile=<file:lib/qa1-start-cb3.jar> include0=../start.properties +#testjvmargs=-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} \ No newline at end of file Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/policyprovider/policyFileProvider/UmbrellaGrants.td Sat Dec 24 11:38:28 2011 @@ -7,3 +7,6 @@ FILEPOLICY01=<url: policyProviderGrant01 FILEPOLICY02=<url: policyProviderGrant02.policy> FILEPOLICYUMBRELLA=<url: policyProviderUmbrellaGrant.policy> com.sun.jini.qa.harness.securityproperties=<url: ../securityprovider.properties> +#testjvmargs=-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td Sat Dec 24 11:38:28 2011 @@ -4,4 +4,6 @@ com.sun.jini.qa.harness.runactivation=fa com.sun.jini.qa.harness.runjiniserver=false com.sun.jini.qa.harness.runkitserver=false com.sun.jini.qa.harness.shared=false - +#testjvmargs=-Xdebug,\ +#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\ +#${testjvmargs} \ No newline at end of file Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/jeri/internal/runtime/Target.java Sat Dec 24 11:38:28 2011 @@ -466,7 +466,11 @@ final class Target { } }), securityContext.getAccessControlContext()); } catch (PrivilegedActionException e) { - throw (IOException) e.getException(); + Exception ex = e.getException(); + if ( ex instanceof IOException ) throw (IOException) ex; + if ( ex instanceof InterruptedException ) { + Thread.currentThread().interrupt(); + } } finally { if (ccl != savedCcl || savedCcl != t.getContextClassLoader()) { t.setContextClassLoader(savedCcl); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/PermissionComparator.java Sat Dec 24 11:38:28 2011 @@ -5,14 +5,44 @@ import java.security.Permission; import java.util.Comparator; /** - * - * @author peter + * A Comparator for Set's of permissions that avoids using equals and hashCode() + * + * @author Peter Firmstone. */ public class PermissionComparator implements Comparator<Permission> { - @Override public int compare(Permission o1, Permission o2) { - throw new UnsupportedOperationException("Not supported yet."); + Class c1 = o1.getClass(); + String name1 = o1.getName(); + String actions1 = o1.getActions(); + Class c2 = o2.getClass(); + String name2 = o2.getName(); + String actions2 = o2.getActions(); + int hash1 = hashCode(c1, name1, actions1); + int hash2 = hashCode(c2, name2, actions2); + if (hash1 < hash2) return -1; + if (hash1 > hash2) return 1; + // Identical hash codes + int comp = -1; + if (c1.equals(c2) ){ + comp = name1.compareTo(name2); + if ( comp == 0 ) { + return actions1.compareTo(actions2); + } + return comp; + } + // If we get here, class is not equal. + comp = c1.toString().compareTo(c2.toString()); + if (comp == 0 ) return -1; // should never happen. + return comp; } - + + private int hashCode(Class cl, String name, String actions) { + int hash = 3; + hash = 67 * hash + cl.hashCode(); + hash = 67 * hash + name.hashCode(); + hash = 67 * hash + actions.hashCode(); + return hash; + } + } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/ConcurrentPolicyFile.java Sat Dec 24 11:38:28 2011 @@ -289,7 +289,10 @@ public class ConcurrentPolicyFile extend Collection<Permission> c = ge.getPermissions(); Iterator<Permission> i = c.iterator(); while (i.hasNext()){ - perms.add(i.next()); + Permission p = i.next(); + perms.add(p); + // Don't stuff around finish early if you can. + if (p instanceof AllPermission) return perms; } } } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/DelegateCombinerSecurityManager.java Sat Dec 24 11:38:28 2011 @@ -28,10 +28,12 @@ import java.security.PrivilegedAction; import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Collection; +import java.util.Comparator; import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Set; +import java.util.TreeSet; import java.util.concurrent.Callable; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; @@ -43,6 +45,7 @@ import java.util.concurrent.Future; import java.util.concurrent.atomic.AtomicBoolean; import java.util.logging.Level; import java.util.logging.Logger; +import net.jini.security.PermissionComparator; import org.apache.river.api.delegates.DelegatePermission; import org.apache.river.impl.util.CollectionsConcurrent; import org.apache.river.impl.util.RC; @@ -66,6 +69,7 @@ extends SecurityManager implements Deleg private final Guard g; private final Action action; private final ExecutorService executor; + private final Comparator<Referrer<Permission>> permCompare; public DelegateCombinerSecurityManager(){ super(); @@ -84,7 +88,11 @@ extends SecurityManager implements Deleg double blocking_coefficient = 0.8; // 0 CPU intensive to 0.9 IO intensive int numberOfCores = Runtime.getRuntime().availableProcessors(); int poolSize = (int) (numberOfCores / ( 1 - blocking_coefficient)); + // If we decide to stay with an ExecutorService, we need to have a zero + // length SynchronousQueue and an Executor that hands the task to the calling + // thread if no pool threads are available. executor = Executors.newFixedThreadPool(poolSize); + permCompare = RC.comparator(new PermissionComparator()); } @Override @@ -96,7 +104,7 @@ extends SecurityManager implements Deleg Set<Permission> checkedPerms = checked.get(executionContext); if (checkedPerms == null){ Set<Referrer<Permission>> internal = - CollectionsConcurrent.multiReadSet(new HashSet<Referrer<Permission>>(96)); + CollectionsConcurrent.multiReadSet(new TreeSet<Referrer<Permission>>(permCompare)); checkedPerms = RC.set(internal, Ref.SOFT); Set<Permission> existed = checked.putIfAbsent(executionContext, checkedPerms); if (existed != null) checkedPerms = existed; @@ -132,9 +140,10 @@ extends SecurityManager implements Deleg } // Normal execution, same as SecurityManager. executionContext.checkPermission(perm); + /* It's ok to cache SocketPermission if we use a comparator */ // If we get to here, no exceptions were thrown, we have permission. // Don't cache SocketPermission. - if (perm instanceof SocketPermission) return; + // if (perm instanceof SocketPermission) return; checkedPerms.add(perm); } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/PermissionGrantBuilderImp.java Sat Dec 24 11:38:28 2011 @@ -109,8 +109,8 @@ class PermissionGrantBuilderImp extends if (context < 0) { throw new IllegalStateException("context must be >= 0"); } - if (context > 4) { - throw new IllegalStateException("context must be <= 4"); + if (context > 5) { + throw new IllegalStateException("context must be <= 5"); } this.context = context; return this; Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java Sat Dec 24 11:38:28 2011 @@ -31,6 +31,8 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.Iterator; +import java.util.logging.Level; +import java.util.logging.Logger; /** * @@ -108,14 +110,23 @@ class URIGrant extends CertificateGrant // sun.security.provider.PolicyFile compatibility for null CodeSource is false. // see com.sun.jini.test.spec.policyprovider.dynamicPolicyProvider.GrantPrincipal test. if (codeSource == null) return false; + URL url = codeSource.getLocation(); + if (url == null) return false; if (location.isEmpty()) return true; int l = location.size(); URI[] uris = location.toArray(new URI[l]); for (int i = 0; i<l ; i++ ){ if (uris[i] == null) return true; } + URI implied = null; + try { + implied = url.toURI(); + } catch (URISyntaxException ex) { + ex.printStackTrace(System.err); + return false; + } for (int i = 0; i<l ; i++){ - if (implies(uris[i], codeSource)) return true; + if (implies(uris[i], implied)) return true; } return false; } @@ -185,7 +196,7 @@ class URIGrant extends CertificateGrant * @return {@code true} if the argument code source is implied by this * {@code CodeSource}, otherwise {@code false}. */ - private static boolean implies(URI location, CodeSource cs) { + private static boolean implies(URI grant, URI implied) { // // Here, javadoc:N refers to the appropriate item in the API spec for // the CodeSource.implies() @@ -213,31 +224,31 @@ class URIGrant extends CertificateGrant // } // javadoc:3 - if (location != null) { + if (grant != null) { //javadoc:3.1 - URL otherURL = cs.getLocation(); - if ( otherURL == null) { - return false; - } - URI otherURI; - try { - otherURI = otherURL.toURI(); - } catch (URISyntaxException ex) { - return false; - } +// URL otherURL = cs.getLocation(); +// if ( otherURL == null) { +// return false; +// } +// URI otherURI; +// try { +// otherURI = otherURL.toURI(); +// } catch (URISyntaxException ex) { +// return false; +// } //javadoc:3.2 - if (location.equals(otherURI)) { + if (grant.equals(implied)) { return true; } //javadoc:3.3 - if (!location.getSchemeSpecificPart().equals(otherURI.getSchemeSpecificPart())) { + if (!grant.getScheme().equals(implied.getScheme())) { return false; } //javadoc:3.4 - String thisHost = location.getHost(); + String thisHost = grant.getHost(); if (thisHost != null) { - String thatHost = otherURI.getHost(); + String thatHost = implied.getHost(); if (thatHost == null) { return false; } @@ -332,16 +343,17 @@ class URIGrant extends CertificateGrant } // if (this.location.getHost() != null) //javadoc:3.5 - if (location.getPort() != -1) { - if (location.getPort() != otherURI.getPort()) { + if (grant.getPort() != -1) { + if (grant.getPort() != implied.getPort()) { return false; } } //javadoc:3.6 - // for compatbility with URL.getFile, the Query is concatenated to the path. - String thisFile = location.getPath() + location.getQuery(); - String thatFile = otherURI.getPath() + otherURI.getQuery(); + // compatbility with URL.getFile + String thisFile = grant.getPath(); + String thatFile = implied.getPath(); + if (thatFile == null) return false; if (thisFile.endsWith("/-")) { //javadoc:3.6."/-" //$NON-NLS-1$ if (!thatFile.startsWith(thisFile.substring(0, thisFile @@ -372,8 +384,8 @@ class URIGrant extends CertificateGrant //javadoc:3.7 // A URL Anchor is a URI Fragment. - if (location.getFragment() != null) { - if (!location.getFragment().equals(otherURI.getFragment())) { + if (grant.getFragment() != null) { + if (!grant.getFragment().equals(implied.getFragment())) { return false; } } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java?rev=1222962&r1=1222961&r2=1222962&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/impl/security/policy/util/DefaultPolicyParser.java Sat Dec 24 11:38:28 2011 @@ -27,6 +27,7 @@ import java.io.File; import java.io.InputStream; import java.io.InputStreamReader; import java.io.Reader; +import java.net.URI; import java.net.URL; import java.security.cert.Certificate; import java.security.cert.CertificateException; @@ -196,8 +197,8 @@ public class DefaultPolicyParser impleme * ANSWER: No we just make a CodeSourceSetGrant, that contains multiple * CodeSource. */ - URL codebase = null; - List<URL> codebases = new ArrayList<URL>(); + URI codebase = null; + List<URI> codebases = new ArrayList<URI>(8); Certificate[] signers = null; Set<Principal> principals = new HashSet<Principal>(); Set<Permission> permissions = new HashSet<Permission>(); @@ -208,13 +209,13 @@ public class DefaultPolicyParser impleme Collection<String> cbstr = expandURLs(cb, system); Iterator<String> it = cbstr.iterator(); while (it.hasNext()){ - codebases.add(new URL(it.next())); + codebases.add(new URI(it.next())); } } catch (ExpansionFailedException e) { - codebase = new URL(cb); + codebases.add(new URI(cb)); } } else { - codebase = new URL(cb); + codebases.add(new URI(cb)); } } if ( ge.getSigners() != null) { @@ -252,21 +253,15 @@ public class DefaultPolicyParser impleme } } PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder(); - if ( codebase != null ) { - pgb.codeSource(new CodeSource(codebase, signers)); - } else if (codebases.size() == 1) { - pgb.codeSource(new CodeSource(codebases.get(0), signers)); - } else if (codebases.size() > 1 ){ - pgb.multipleCodeSources(); - Iterator<URL> iter = codebases.iterator(); - while (iter.hasNext()){ - pgb.codeSource(new CodeSource(iter.next(), signers)); - } + Iterator<URI> iter = codebases.iterator(); + while (iter.hasNext()){ + pgb.uri(iter.next()); } return pgb + .certificates(signers) .principals(principals.toArray(new Principal[principals.size()])) .permissions(permissions.toArray(new Permission[permissions.size()])) - .context(PermissionGrantBuilder.CODESOURCE) + .context(PermissionGrantBuilder.URI) .build(); }
