Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/unittestlib/UnitTestUtilities.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/unittestlib/UnitTestUtilities.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/unittestlib/UnitTestUtilities.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/unittestlib/UnitTestUtilities.java Wed Feb 8 04:34:17 2012 @@ -62,7 +62,7 @@ public class UnitTestUtilities { Integer.getInteger("lastTest", Integer.MAX_VALUE).intValue(); /** The number of the current test */ - public static int testNumber = 0; + public static volatile int testNumber = 0; /** If true, stop after first failure. */ public static final boolean stopOnFail = Boolean.getBoolean("stopOnFail"); @@ -74,8 +74,8 @@ public class UnitTestUtilities { /** Holds test results */ private static class TestResults { - int pass; - int fail; + volatile int pass; + volatile int fail; } /** Used to signal that lastTest has been done. */
Added: river/jtsk/skunk/peterConcurrentPolicy/qa/svn-commit.tmp URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/svn-commit.tmp?rev=1241772&view=auto ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/qa/svn-commit.tmp (added) +++ river/jtsk/skunk/peterConcurrentPolicy/qa/svn-commit.tmp Wed Feb 8 04:34:17 2012 @@ -0,0 +1,5 @@ +Delete conflicting directory + +--This line, and those below, will be ignored-- + +D https://svn.apache.org/repos/asf/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/keystores.old Modified: river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/action/GetPropertyAction.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/action/GetPropertyAction.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/action/GetPropertyAction.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/com/sun/jini/action/GetPropertyAction.java Wed Feb 8 04:34:17 2012 @@ -55,7 +55,7 @@ import net.jini.security.Security; * @see Security * @since 2.0 **/ -public class GetPropertyAction implements PrivilegedAction { +public class GetPropertyAction implements PrivilegedAction<String> { private static final Logger logger = Logger.getLogger("com.sun.jini.action.GetPropertyAction"); @@ -98,7 +98,7 @@ public class GetPropertyAction implement * @return the string value of the system property or the default * value, or <code>null</code> **/ - public Object run() { + public String run() { try { String value = System.getProperty(theProp); if (value != null) { Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicObjectEndpoint.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicObjectEndpoint.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicObjectEndpoint.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/BasicObjectEndpoint.java Wed Feb 8 04:34:17 2012 @@ -415,8 +415,16 @@ public final class BasicObjectEndpoint case 0x00: // REMIND: close the response input stream? - call.getResponseInputStream().close(); + Exception ex = null; + try { + call.getResponseInputStream().close(); + } catch (IOException e){ + ex = e; + } // REMIND: Do we want to read a server-supplied reason string? + if (ex != null){ + return new NoSuchObjectException("no such object in table, input stream close threw IOException: " + ex); + } return new NoSuchObjectException("no such object in table"); case 0x01: @@ -424,8 +432,17 @@ public final class BasicObjectEndpoint default: // REMIND: close the response input stream? - call.getResponseInputStream().close(); + Exception exc = null; + try { + call.getResponseInputStream().close(); + } catch (IOException e){ + exc = e; + } // REMIND: Do we really want this failure mode here? + if (exc != null){ + return new UnmarshalException("unexpected invocation status: " + + Integer.toHexString(status), exc); + } return new UnmarshalException("unexpected invocation status: " + Integer.toHexString(status)); } Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/AuthManager.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/AuthManager.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/AuthManager.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/AuthManager.java Wed Feb 8 04:34:17 2012 @@ -26,10 +26,12 @@ import java.security.NoSuchAlgorithmExce import java.security.Principal; import java.security.PrivateKey; import java.security.cert.CertPath; +import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; +import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -324,7 +326,7 @@ abstract class AuthManager extends Filte */ static long certificatesValidUntil(CertPath chain) { long result = Long.MAX_VALUE; - List certs = chain.getCertificates(); + List<? extends Certificate> certs = chain.getCertificates(); for (int i = certs.size(); --i >= 0; ) { X509Certificate cert = (X509Certificate) certs.get(i); long until = cert.getNotAfter().getTime(); Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/ServerAuthManager.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/ServerAuthManager.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/ServerAuthManager.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/ServerAuthManager.java Wed Feb 8 04:34:17 2012 @@ -69,13 +69,13 @@ class ServerAuthManager extends AuthMana private final Map credentialCache = new HashMap(2); /** The SSL session for the last successful call to checkCredentials. */ - private Reference sessionCache = new SoftReference(null); + private volatile Reference<SSLSession> sessionCache = new SoftReference<SSLSession>(null); /** * The time when the credentials for the session in the session cache * become invalid. */ - private long credentialsValidUntil = 0; + private volatile long credentialsValidUntil = 0; /* -- Constructors -- */ @@ -166,7 +166,7 @@ class ServerAuthManager extends AuthMana } else { credentialsValidUntil = checkCredentials( cred, clientSubject, "accept"); - sessionCache = new SoftReference(session); + sessionCache = new SoftReference<SSLSession>(session); } } } @@ -347,7 +347,7 @@ class ServerAuthManager extends AuthMana if (val instanceof X500PrivateCredential) { cred = (X500PrivateCredential) val; try { - checkCredentials(cred, null, "listen"); + checkCredentials(cred, null, "listen"); } catch (SecurityException e) { if (logger.isLoggable(Levels.HANDLED)) { logThrow(logger, Levels.HANDLED, Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslConnection.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslConnection.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslConnection.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslConnection.java Wed Feb 8 04:34:17 2012 @@ -64,7 +64,7 @@ class SslConnection extends Utilities im * the client to negotiate a new session before the server timeout, which * defaults to 24 hours. */ - private static long maxClientSessionDuration = + private final long maxClientSessionDuration = ((Long) Security.doPrivileged( new GetLongAction("com.sun.jini.jeri.ssl.maxClientSessionDuration", (long) (23.5 * 60 * 60 * 1000)))).longValue(); @@ -100,16 +100,16 @@ class SslConnection extends Utilities im private final ClientAuthManager authManager; /** The socket */ - SSLSocket sslSocket; + volatile SSLSocket sslSocket; /** The currently active cipher suite */ - private String activeCipherSuite; + volatile private String activeCipherSuite; /** The current session */ - private SSLSession session; + volatile private SSLSession session; /** True if the connection has been closed. */ - boolean closed; + volatile boolean closed; /* -- Methods -- */ Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java?rev=1241772&r1=1241771&r2=1241772&view=diff ============================================================================== --- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java (original) +++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/jeri/ssl/SslServerEndpointImpl.java Wed Feb 8 04:34:17 2012 @@ -101,10 +101,10 @@ class SslServerEndpointImpl extends Util * to facilitate testing. Use 24 hours to allow the client, which uses * 23.5 hours, to renegotiate a new session before the server timeout. */ - static long maxServerSessionDuration = + private final long maxServerSessionDuration = ((Long) Security.doPrivileged( new GetLongAction("com.sun.jini.jeri.ssl.maxServerSessionDuration", - 24 * 60 * 60 * 1000))).longValue(); + 24L * 60L * 60L * 1000L))).longValue(); /** * Executes a Runnable in a system thread -- used for listener accept @@ -118,10 +118,10 @@ class SslServerEndpointImpl extends Util new BasicServerConnManager(); /** The associated server endpoint. */ - final ServerEndpoint serverEndpoint; + private final ServerEndpoint serverEndpoint; /** The server subject, or null if the server is anonymous. */ - final Subject serverSubject; + private final Subject serverSubject; /** * The principals to use for authentication, or null if the server is @@ -146,21 +146,21 @@ class SslServerEndpointImpl extends Util /** * The permissions needed to authenticate when listening on this endpoint, - * or null if the server is anonymous. + * or null if the server is anonymous. Effectively immutable array. */ - Permission[] listenPermissions; + private final Permission[] listenPermissions; /** The listen endpoint. */ private final ListenEndpoint listenEndpoint; /** The factory for creating JSSE sockets -- set by sslInit */ - private SSLSocketFactory sslSocketFactory; + private SSLSocketFactory sslSocketFactory; // Synchronized on this /** * The authentication manager for the SSLContext for this endpoint -- set * by sslInit. */ - private ServerAuthManager authManager; + private ServerAuthManager authManager; // Synchronized on this /** The server connection manager. */ ServerConnManager serverConnectionManager = defaultServerConnectionManager; @@ -191,9 +191,10 @@ class SslServerEndpointImpl extends Util ? computePrincipals(serverSubject) : checkPrincipals(serverPrincipals); /* Set listenPermissions before calling hasListenPermissions */ + Permission [] listenPermissions; if (this.serverPrincipals == null) { listenPermissions = null; - } else { + } else { listenPermissions = new AuthenticationPermission[this.serverPrincipals.size()]; int i = 0; @@ -213,10 +214,11 @@ class SslServerEndpointImpl extends Util !hasListenPermissions())) { this.serverSubject = null; - this.listenPermissions = null; + listenPermissions = null; } else { - this.serverSubject = serverSubject; + this.serverSubject = serverSubject; } + this.listenPermissions = listenPermissions; this.serverHost = serverHost; if (port < 0 || port > 0xFFFF) { throw new IllegalArgumentException("Invalid port: " + port); @@ -673,15 +675,18 @@ class SslServerEndpointImpl extends Util checkListenPermissions(false); Set principals = serverSubject.getPrincipals(); /* Keep track of progress; remove entry when check is done */ - Map progress = new HashMap(serverPrincipals.size()); - for (Iterator i = serverPrincipals.iterator(); i.hasNext(); ) { - X500Principal p = (X500Principal) i.next(); - if (!principals.contains(p)) { - throw new UnsupportedConstraintException( - "Missing principal: " + p); - } - progress.put(p, X500Principal.class); - } + boolean nullServerPrincipals = serverPrincipals == null; + Map progress = new HashMap(nullServerPrincipals ? 0 : serverPrincipals.size()); + if (!nullServerPrincipals){ + for (Iterator i = serverPrincipals.iterator(); i.hasNext(); ) { + X500Principal p = (X500Principal) i.next(); + if (!principals.contains(p)) { + throw new UnsupportedConstraintException( + "Missing principal: " + p); + } + progress.put(p, X500Principal.class); + } + } X500PrivateCredential[] privateCredentials = (X500PrivateCredential[]) AccessController.doPrivileged( new SubjectCredentials.GetAllPrivateCredentialsAction( @@ -1075,31 +1080,31 @@ class SslServerEndpointImpl extends Util * yet. Check that the current session matches to prevent new * handshakes. */ - private SSLSession session; + private final SSLSession session; /** * The client subject -- depends on session being set. This instance * is read-only. */ - private Subject clientSubject; + private final Subject clientSubject; /** The client principal -- depends on session being set. */ - private X500Principal clientPrincipal; + private final X500Principal clientPrincipal; /** The server principal -- depends on session being set. */ - private X500Principal serverPrincipal; + private final X500Principal serverPrincipal; /** * The authentication permission required for this connection, or null * if the server is anonymous -- depends on session being set. */ - private AuthenticationPermission authPermission; + private final AuthenticationPermission authPermission; /** The cipher suite -- depends on session being set. */ - private String cipherSuite; - + private final String cipherSuite; + /** True if the connection has been closed. */ - boolean closed; + volatile boolean closed; /** Creates a server connection */ SslServerConnection(SslListenHandle listenHandle, Socket socket) @@ -1115,7 +1120,34 @@ class SslServerEndpointImpl extends Util /* Need to put in server mode before requesting client auth. */ sslSocket.setUseClientMode(false); sslSocket.setWantClientAuth(true); - + try { + session = sslSocket.getSession(); + sslSocket.setEnableSessionCreation(false); + cipherSuite = session.getCipherSuite(); + if ("NULL".equals(getKeyExchangeAlgorithm(cipherSuite))) { + throw new SecurityException("Handshake failed"); + } + clientSubject = getClientSubject(sslSocket); + clientPrincipal = clientSubject != null + ? ((X500Principal) + clientSubject.getPrincipals().iterator().next()) + : null; + X509Certificate serverCert = + getAuthManager().getServerCertificate(session); + serverPrincipal = serverCert != null + ? serverCert.getSubjectX500Principal() : null; + if (serverPrincipal != null) { + authPermission = new AuthenticationPermission( + Collections.singleton(serverPrincipal), + (clientPrincipal != null + ? Collections.singleton(clientPrincipal) : null), + "accept"); + } else { + authPermission = null; + } + } catch (SecurityException e){ + throw new IOException("Unable to create session", e); + } logger.log(Level.FINE, "created {0}", this); } @@ -1205,43 +1237,21 @@ class SslServerEndpointImpl extends Util * fields if needed. */ private void decacheSession() { - synchronized (this) { - SSLSession socketSession = sslSocket.getSession(); - if (session == socketSession) { - return; - } else if (session != null) { - /* - * We disable session creation as soon as we notice the - * first session, but it is possible that a second - * handshake could have started by then, so check that we - * have the same session. -tjb[31.Jan.2003] - */ - throw new SecurityException( - "New handshake occurred on socket"); - } - session = socketSession; - sslSocket.setEnableSessionCreation(false); - cipherSuite = session.getCipherSuite(); - if ("NULL".equals(getKeyExchangeAlgorithm(cipherSuite))) { - throw new SecurityException("Handshake failed"); - } - clientSubject = getClientSubject(sslSocket); - clientPrincipal = clientSubject != null - ? ((X500Principal) - clientSubject.getPrincipals().iterator().next()) - : null; - X509Certificate serverCert = - getAuthManager().getServerCertificate(session); - serverPrincipal = serverCert != null - ? serverCert.getSubjectX500Principal() : null; - if (serverPrincipal != null) { - authPermission = new AuthenticationPermission( - Collections.singleton(serverPrincipal), - (clientPrincipal != null - ? Collections.singleton(clientPrincipal) : null), - "accept"); - } - } + SSLSession socketSession = sslSocket.getSession(); + if (session == socketSession) { + return; + } else if ( !session.isValid()){ + throw new SecurityException("Session invalid"); + } else { + /* + * We disable session creation as soon as we notice the + * first session, but it is possible that a second + * handshake could have started by then, so check that we + * have the same session. -tjb[31.Jan.2003] + */ + throw new SecurityException( + "New handshake occurred on socket"); + } } /**
