Let me dig some deeper. Comments inline.
Peter wrote:
Yes the dynamic proxy's are 100% local code. Remember dynamic proxy's don't
have codebase s. :)
Of course they do - look at PreferredClassProvider - the dynamic proxy
class is defined by the codebase loader!
Being a dynamic proxy does not mean there is no codebase.
AtomicMarshalInputStream performs a special input validation on
java.lang.reflect.Proxy thus ensuring the InvocationHandler is also trusted.
If the InvocationHandler doesn't pass the test the proxy's never created.
Why does it only verify dynamic proxies? Doesn't it verify normal objects?
The dynamic proxy's put you in direct contact with the service provider using
only local code with input validation constrained over secure connections (as
configured with constraints in force).
I think I've given you enough info now to investigate further.
Ok - so your "token" is the same thing as my SmartProxyWrapper. Let's
call it a "bootstrap proxy", ok?
1. What interface this bootstrap proxy implements?
2. Why do you think it has to be a dynamic proxy (ie. an instance of a
subclass of java.lang.Proxy)?
3. What and when are DownloadPermissions required? How do they add to
the overall security?
I understand the security of service proxies is enforced by the
constraints placed on the bootstrap proxy.
So where is the place for DownloadPermissions?
4. Finally - how is the lookup service proxy verified? Does it also
provide the bootstrap proxy?
If so - what special role does it play in the architecture?
The bootstrap proxy does not have to be provided by the lookup service,
does it?
If it is verified differently - why and how?
Thanks,
Michal