https://dzone.com/articles/whats-new-in-owasp-apis-and-mitigation
Sent from my Samsung device.
We should add Blazegraph and Sorcer to our success stories and remove dead
links, we can still mention older stories, but I think we need to focus on more
recent stories.
Anyone know of other success stories not listed?
Does anyone work for a company that utilises River who can tell us their
The only changes made are to POM file dependencies, no changes to Rio code.
A compatiblity layer has been used for the com.sun.jini namespace.
I'm not entirely sure whether the test failures are a result of a poor
network connection (mobile network), perhaps those more familiar with
Rio will
Anyone got some cycles to help out with the River 3.0.1 release?
There are some existing jira issues with patches or easy fixes we can include
too.
I've also got a Jini compatibility library to assist people who want to migrate
from pre 3.x versions that depend on common classes in the comsun.
Proposed Release roadmap:
River 3.0.1 - thread leak fix
River 3.1 - Modular build restructure (& binary release)
River 3.2 - Input validation 4 Serialization, delayed unmarshalling & safe
ServiceRegistrar lookup service.
River 3.3 - OSGi support
Changes in the modular build and delayed
Mike, I recall the last time I looked at object based annotations, there was a
backward compatibility issue because both ends of the Marshal streams expect
string based annotations as does RMIClassLoader.
However if you are still keen to investigate object based annotations there's
no reason
Any OSGi veterans willing to assist with JGDMS support for OSGi during the
modular restructure?
I've added OSGi manifests to modules, but I also need to add classpath manifest
entry's for non osgi application compatibility, I'm using the bnd-maven-plugin
to generate the OSGi manifests.
I also
Reference:
https://github.com/pfirmstone/river-internet/blob/trunk/src/net/jini/io/MarshalledInstance.java
The River PMC is discouraging the use of JRMP RMI protocols, since the removal
of support for JRMP in River 2.2.3. MarshalledObject utilises JRMP, so
discouraging (deprecating) its use
Forked from River trunk just before 3.0 release.
* Security focused:
o Supports updated modern cyphers, support for vulnerable
cypers removed.
o Reimplementation of serialization, includes input validation
and defensive programming.
o
So far building Rio against the River maven build, there are 3 test
failures.
I've added compatibility layer to River of com.sun.jini classes that
extend theirorg.apache.rivercounterparts to provide a backward
compatible subset of deprecated com.sun.jini namespace (only the parts
of the
A discussion recently ignited on river private about revamping the project.
For the benefit of the wider developer community can we restate the suggestions
here, feel free to reword, correct, reject or suggest. It was along the lines
of:
* Website revamp
* Remove Jini focus, with a historical
I've finally got ServiceDiscoveryManager to a stage where I feel like it's been
completely brought up to date.
Originally SDM's LookupCache had some latent race conditions that became
evident after I created a non blocking DynamicPolicyProvider.
I spent some time refactoring it, I separated
Thank you Zsolt, for your offer of help and support. You're right about our
need to evangelise, maybe an article on Dzone would be a good start? Updating
our website, awesome, I can apply your patches :).
Once it's possible to do so securely, I'll be making a public service registrar
Anyone interested in Exporters for other RPC Frameworks?
If so which and why?
Pete.
Sent from my Samsung device.
Getting another set of release artifacts 4 River3 ready and have run all tests
again, need to generate pgp signatures on weekend.
Decided not to use X500 release cert to sign jar files this release to prevent
holding up progress, since I haven't worked out how others can verify release
https://blogs.oracle.com/hinkmond/entry/easy_iot_sensor_on_boarding
Must have missed this earlier.
Sent from my Samsung device.
Option 1. I propose that we take security seriously, no security patches are
to be rejected prior to review, that we review and analyse them properly based
on merit. That discussions about security issues be taken seriously.
Option 2. Alternatively I resign my River committer status
Please
ServiceProxyAccesor is an interface in the start package, a similar interface
called ProxyAccessor exists in the net.jini.export package.
The difference between these two interfaces is the former returns a smart
proxy, which may not be a Remote object, while the latter returns the Remote
proxy
There's new api in org.apache.river.api.lookup and org.apache.river.api.util
I'd like to remove before releasing.
This relates to
StreamServiceRegistrar, it doesn't have any implementation yet, also only
net.jini.* is agreed upon as api.
I think the additional lookup method would be better if
Committers who have contributed to River, please append your pgp public key to
the KEYS file in the trunk directory in preparation for release.
Thank you,
Peter.
Sent from my Samsung device.
http://www.hindawi.com/journals/ijdsn/2015/205793/
Regards,
Peter
That's good news, well done!
On 18/02/2015 3:32 AM, amit batajoo wrote:
Hello Peter,
Thank you for your support and suggestion, finally I successfully run
the apache-river and hello world program example on my linux
environment with java version 1.8.0.
Here are the screenshot of my success
Continuing on ...
Lets say for example, we have a secure OS and we provide a service on a
public port and we have a determined attacker attempting to use
deserialization to take over our system or bring it to its knees with
denial of service.
We know this is relatively easy with standard
Hi Bishnu,
I have previously tested River 2.2.0 on ARM, but experienced a number of
test failures.
You mentioned the host name isn't defined in your DNS server, if you
configure host names with IP adrresses in your /etc/hostname files it
still doesn't work with hostnames?
I spent a
Some standard java se components are missing from compact 2:
Compiling 905 source files to
C:\Users\peter\Documents\NetBeansProjects\peterConcurrentPolicy\build\classes
javac 1.8.0
On 14/02/2015 6:19 PM, Mike wrote:
Happy to hear that No ;) That said, I have been, and would like to
continue, hacking on the core. I'll talk about some of my reasons in a
different thread than this one though.
I'd be interested to hear what you have in mind.
This build works on Java 8,
Still just pondering the possibilities.
Compact 2 profile doesn't include swing, awt, kerberos, IIOP or Corba.
But it is interesting to consider how we might support it, such as by
providing a platform.jar that does.
On 14/02/2015 3:08 PM, Patricia Shanahan wrote:
We do need to understand
limits work? For example, consider:
int[][][] myArray = new int[1000][1000][1000];
Or the equivalent initialization done in loops in a constructor?
Patricia
On 2/11/2015 3:57 AM, Peter Firmstone wrote:
...
It appears that fixing ObjectInputStream and Serializable security
issues was much easier than
Our present security model relies on the safety of the java sandbox, but
we know that model is flawed.
If DownloadPermission is not granted, we cannot lookup a service that
uses a smart proxy and ask it for the bootstrap proxy. We could
however, lookup a bootstrap proxy, authenticate it,
Hi Amit,
At line 24:
# Shell script to run Reggie
set -x
java -Djava.security.policy=config/start.policy\
-Djava.ext.dirs=../../lib-ext/\
-jar ../../lib/start.jar\
config/start-reggie.config
Make the following changes :
# Shell script to run Reggie
set -x
java
The qa-refactor build fully supports Windows file paths, so Window's
users won't need cigwin when it's eventually released.
I was thinking it might help the experience for new users if we can move
all examples into their own build and distribution, so that users aren't
distracted by the main
to implement, and much easier to evolve than
default serialization, some users may wish to use it anyway (it's also
final field friendly), but it is definitely intended to be optional.
Regards,
Peter.
On 8/02/2015 6:11 PM, Peter Firmstone wrote:
Thanks Dan, hopefully I don't dissapoint.
... So
Thanks Dan, hopefully I don't dissapoint.
... So continuing on, another benefit of secure Serialization, if you're
a lookup service, you don't need to authenticate your clients, you can
deal with anyone and your not subject to DOS attacks, other than more
conventional attacks unrelated to
Thanks Dan, hopefully I don't dissapoint.
... So continuing on, another benefit of secure Serialization, if you're
a lookup service, you don't need to authenticate your clients, you can
deal with anyone and your not subject to DOS attacks, other than more
conventional attacks unrelated to
There's a free certificate authority coming this year, I think privacy
and security are hot topics these days: https://letsencrypt.org/
Just a quick note about something I'm currently exploring.
The good thing about River is it allows you to be mostly ignorant of
security when developing
Thanks Gregg,
That looks like the problem.
Cheers,
Peter.
On 27/10/2014 12:37 PM, Gregg Wonderly wrote:
Most Likely, you used the default settings on netbeans editor configuration
which I believe is to replace all tabs with spaces. A sad default…
Gregg Wonderly
On Oct 26, 2014, at
FYI.
Regards,
Peter.
Original Message
Subject: Jenkins build is back to normal :
river-ServiceDiscoveryManagerTests #142
Date: Mon, 27 Oct 2014 11:44:55 + (UTC)
From: Apache Jenkins Server jenk...@builds.apache.org
To: j...@zeus.net.au
Have you checked out and built qa_refactor recently?
Did you know, apart from JMM compliance and fixes for finalizer attacks
and race conditions:
1. All hot spots are native methods.
2. The performance cost of security is 0%
3. Tests pass on these architectures; arm, sparc, x64
4.
Hi Amit,
The class not found belongs is Reggie's proxy. Basically the proxy
codebase is either not being downloaded from your http codebase server,
or your local client isn't allowing it to be downloaded.
One recent change to Java was to change a property to prevent codebase
downloads.
All concurrency bugs identified (with testing, static analysis or
review) that matter have been fixed, meaning I have no plans to fix
ClassDep or build bugs, since the build will be updated to a modular
build at some point.
It's probably safe to move to a beta or preview release now, however
I've just noticed that my last svn commit, called using netbeans on
windows, entire files were replaced, even when only very minor changes
were made (on line), I'm not sure if this is something to do with
Windows txt files or a setting somewhere.
This has occurred on at least one other
I've finally solved the random test failures in ServiceDiscoveryManager,
this has taken considerable time, I'll be performing some more test runs
before committing.
Regards,
Peter.
On 28/08/2014 9:29 PM, Apache Jenkins Server wrote:
Hi Patricia,
It's in the main build directory under rc-libs, it's also available on
sourceforge, a project called custard apple.
In case you're wondering, it's a library that wraps the ability to cache
using timed, weak or soft references with any java collection
implementation.
Peter.
Thanks Gavin.
On 13/07/2014 6:02 PM, Gavin McDonald wrote:
Good Day Devs,
Our Jenkins Instance has some slaves being replaced.
Specifically those labelled 'ubuntu[1,2,4,5,6]' are being replaced with
slaves already online called 'ubuntu-[1,2,4,5,6] (notice the dash -).
You are getting this
Any ideas for Serializable 2.0?
Peter.
Original Message
Subject:Re: JEP 187 Serializable 2.0
Date: Sat, 12 Jul 2014 08:52:33 -0400
From: Brian Goetz brian.go...@oracle.com
To: Peter Firmstone peter.firmst...@zeus.net.au
Where should I post the writeup
-marshaled, a {@link java.rmi.MarshalledObject} must first be
* converted to {@link net.jini.io.MarshalledInstance} before un-marshaling.
* p
* @author Peter Firmstone.
* @since 3.0.0
*/
public interface Portable {
/**
* Prepare for transport in a PortableObjectOutputStream
Hi Patricia,
Don't forget to define a build.properties file:
# To change this template, choose Tools | Templates
# and open the template in the editor
java.home=C:/PROGRA~1/Java/jdk1.8.0
debug=true
#profile=compact3
#target=8
#java.util.logging.config.file=
#run.categories=renewalmanager
How about Portable?
On 1/07/2014 12:55 AM, Gregg Wonderly wrote:
So, maybe transportable or transported or forwarded…
Gregg
On Jun 29, 2014, at 4:41 AM, Peter Firmstonej...@zeus.net.au wrote:
Hi Gregg,
Thinking out loud:
Transferable, I think it's close, it works for
Hi Gregg,
Thinking out loud:
Transferable, I think it's close, it works for
TransferableObjectFactory, it's created on demand to transfer a non
serializable object via a serialization stream and it transfers a
factory from one jvm to another, in order to recrate the original object
in
Presently, LookupLocator's method getRegistrar, discovers a lookup
service, using Discovery V1 only.
ConstrainableLookupLocator overrides the getRegistrar method and can
perform Discovery V1 or V2.
As a first step, in ensuring maximum compatibility, I'd like to propose
changing
, Peter
David Holmes
-Original Message-
From: concurrency-interest-boun...@cs.oswego.edu
[mailto:concurrency-interest-boun...@cs.oswego.edu]On Behalf Of
Peter Firmstone
Sent: Tuesday, 24 June 2014 8:25 PM
To: concurrency-inter...@cs.oswego.edu
Distributed object use SerialReflectionFactory to recreate themselves
remotely using one of their public constructors, a static factory method
or builder object, however one thing about SerialReflectionFactory
bothers me.
SerialReflectionFactory is named after it's implementation, that is, it
Distributed object use SerialReflectionFactory to recreate themselves
remotely using one of their public constructors, a static factory method
or builder object, however one thing about SerialReflectionFactory
bothers me.
SerialReflectionFactory is named after it's implementation, that is, it
Due to the number of test results being emailed to the list, I've now
diverted them to my own email address, any interesting failures will be
relayed to dev@river.apache.org manually from now on.
Regards,
Peter.
In a word, no because the classes use standard java bytecode and methods.
Standard serializable lambda's are brittle, any change in the
encapsulating class can cause breakage during deserialization.
What I'm looking at doing for lambda's that don't refer to their
enclosing classes object
Take one very simple class, compile it and process it with ASMifier and
guess what?
Classes that implement functional interfaces are compiled to contain
synthetic bridge methods that check Generic type casts!
In other news I'm still waiting for a Jenkins run to complete without
someone
On 25/05/2014 11:07 AM, Greg Trasuk wrote:
On May 24, 2014, at 8:42 PM, Peter Firmstonej...@zeus.net.au wrote:
On 23/05/2014 9:53 PM, Simon IJskes - QCG wrote:
Yes, if possible we could sync up the trunk, by visual diffing trunk and
qa_refactor, merging patches into trunk, commiting to
/05/2014 06:29, Peter Firmstone wrote:
Presently we are prevented from compilling and running on J9, JRockit
or other Java VM's.
I've been able to modify Phoenix to use reflection at runtime to call
Sun private implementations, meaning that Phoenix is strictly a Sun
JVM only component, but would
[java]
[java] -
[java] STARTING TO RUN THE TESTS
[java]
[java]
On 22/05/2014 9:10 PM, Peter Firmstone wrote:
Jini has a small but loyal user base in financial services.
Looks like River is building on J9, real time java and IIOP seems
] -
[java] STARTING TO RUN THE TESTS
[java]
[java]
On 22/05/2014 9:10 PM, Peter Firmstone wrote:
Jini has a small but loyal user base in financial services.
Looks like River is building on J9, real time java and IIOP seems to be
working too.
I'm not expecting many tests to pass
, it would
definitely helpful. Jenkins seems more suited to short test runs.
Regards,
Peter.
On 22/05/2014 9:24 PM, Peter Firmstone wrote:
[java] -
[java] GENERAL HARNESS CONFIGURATION INFORMATION:
[java]
[java]Date started
I've seen this test fail on Java 8 on Windows 32 bit and Java 7 on Linux
(Jenkins).
This test relates to ServiceDiscoveryManager.
The test doesn't fail consistently.
Running com/sun/jini/test/impl/servicediscovery/event/ReRegisterBadEquals.td
Time is Wed Feb 26 14:39:57 UTC 2014
Starting test
Thanks Bishnu,
Can you provide a patch? I'll submit it to svn.
Our website could use some jazzing up too if you've got some cycles to
spare?
http://svn.apache.org/viewvc/river/site
Peter.
On 20/05/2014 9:37 PM, Bishnu Gautam wrote:
HI All
I think there are still some old Jini fans who
Actually... I read the article and I'm interested in your upcoming River
tutorial ;)
On 21/05/2014 7:38 PM, Bishnu Gautam wrote:
Hi Peter
Jini installer seems using an older version of LAX installer that is 7.0. It
seems too old and I do not have patch for this installer. However, I have all
Presently we are prevented from compilling and running on J9, JRockit or
other Java VM's.
I've been able to modify Phoenix to use reflection at runtime to call
Sun private implementations, meaning that Phoenix is strictly a Sun JVM
only component, but would no longer prevent compilling and
Come on people, we need at least three votes to nominate a new Chair.
Lets give this project one last shot.
Tom I have already voted in favour.
Peter.
Perhaps we should postpone the rename for now.
On 14/05/2014 4:55 PM, Dawid Loubser wrote:
I agree strongly with Bryan here. I do like Rafał's suggested approach
of creating a namespace-compatibilty module if the package names will
change (which, agreed, is probably long overdue).
Making it as
Actually an alternative could be to use future send for all transfers,
except for eof, which can be safely used for async send since the byte
buffer doesn't change after eof.
On 14/05/2014 7:55 PM, Peter Firmstone wrote:
There are two methods of transfer, one, future send, where the
original
Hmm, it already does that, I wonder if this is safe for direct ByteBuffer's?
Visibility is one issue, the second is mutual exclusion. I think mutual
exclusion is ok, not sure about visibility.
On 14/05/2014 8:01 PM, Peter Firmstone wrote:
Actually an alternative could be to use future send
One of the things I like about JERI is it's multiplexing and multithreaded.
What I don't like about JERI is, it passes ByteBuffers between calling
threads and pool threads.
Who can guess what's wrong with that?
Peter.
visibility.
On 14/05/2014 8:01 PM, Peter Firmstone wrote:
Actually an alternative could be to use future send for all transfers, except
for eof, which can be safely used for async send since the byte buffer doesn't
change after eof.
On 14/05/2014 7:55 PM, Peter Firmstone wrote:
There are two
On 13/05/2014 9:59 AM, Dennis Reedy wrote:
Apologies for not chiming in earlier, I've been running around with my air
on fire for the past couple of weeks. As to whether River is dead, I don't
think it is, maybe mostly dead (in which case a visit to Miracle Max may be
in order). I think River is
Thought you may find these results interesting, just killed some more
latent concurrency bugs in JERI.
* Mahalo stress tests are now running with 0% contention at close to
raw socket speed.
* ClassLoading is thread confined for each classloader to avoid
contention.
* All
I found this an interesting article about using ASM to wrap lambda
methods for Java 7:
http://mkto-o0074.com/846PMW834HX00h0J900
My thoughts are that it's possible to parse lambda expressions,
serialize them and capture any arguments, verify the lambda expression
during unmarshalling
I think I've been heading slowly in that general direction; I'm still
fixing bugs. Because there are ongoing concerns regarding the number of
internal changes to modernise the code (public api compatible), there's
no plan to make this a public release, but instead allow the community
to
I think it would be interesting to have a discussion about any
shortcomings in the api and how things might be done differently with
modern knowledge, to determine whether we need to redesign the api and
if the extent required a full rewrite or just a backward compatiblity break.
So far I've
Every now and again the build will fail with
java.lang.NoClassDefFoundError some.arbitrary.class and that class will
be the same class for all tests, even though the classes are present in
jar files.
This seems to happen on Jenkins and it appears to occur regardless of
which build version is
On 10/04/2014 10:42 PM, Rafał Krupiński wrote:
Dnia 2014-04-10, czw o godzinie 22:15 +1000, Peter Firmstone pisze:
Rafał,
If you're considering a new git hub project, I'd reccommend using the
qa_refactor branch, it contains a significant number of bug fixes.
ClassLoader and URI string handling
It's not so much that ant is the problem, more so that classdep needs to
be maintained for new java features to correctly determine
dependencies. But then it cannot determing Class.forName dependencies...
Tim Blackmann I contributed the ClassDep Java 5 language support code
based on ASM.
Rafał,
If you're considering a new git hub project, I'd reccommend using the
qa_refactor branch, it contains a significant number of bug fixes.
ClassLoader and URI string handling perform very well also.
Regards,
Peter.
On 10/04/2014 7:17 PM, Rafał Krupiński wrote:
Dnia 2014-04-09, śro o
Michał,
Just though I'd mention that objects implementing Distributed don't need
to implement Serializable.
Cheers,
Peter.
On 18/03/2014 11:18 PM, Michał Kłeczek wrote:
Thanks Peter,
There is no need to rush with it yet.
I need to run it locally first :-)
But it would be good to have
I've noticed via experimentation with the test suite that
ServiceDiscoveryManager doesn't detect attribute changes to a service if
it uses Entry's with final fields. I'm not sure of the root cause, but
it could have something to do with Reggie's implementation of the Entry
spec.
Thoughts?
To enable remote clients to invoke processing at the server with lambda
expression invocation on remote objects, without code downloads.
Presently the enclosing class is serialized along with the lambda,
because it contains the receipe generated by the static compiler. I'm
investigating if
The present serialized form of Lambda's don't access captured fields
until after deserialization, making them dependant on the enclosing
classes serial form, its deserialized object state and requiring the
enclosing class to be Serializable.
This appears to be a fundamental mistake in the
be serialized, without requiring the enclosing class, so
the lambda receipe can be used to create an object independant of it's
original enclosing class during deserialization.
Will keep you posted.
Any thoughts appreciated.
Regards,
Peter.
On 9/03/2014 11:41 AM, Peter Firmstone wrote:
The present
It was River-362.
You're assuming the Java sandbox is secure, history tells us otherwise.
Your Module provider is quite interesting however and it could still
serve a purpose for River, but it's outside the scope of River-362.
The proposed solution is to restrict deserialization to a list
I'm currently getting a number of test failures where a port passed in
by configuration is already in use. If the port specified is 0, then an
arbitrary port is selected if 4160 is not available.
However Reggie throws an exception during construction if a configured
port is in use.
I'd
Haven't had time to participate in the latest conversation.
1. Would like to see River adopt Rio's conventions at the very least
as part of the new standard, also like to see Maven provisioning.
2. Dennis, if you're interested, I'd be prepared to be one of your
developers for RIO,
You could adopt the directory conventions api, impl and proxy, instead
of lib and lib-dl? That way you could make sure the api is loaded into
the application class loader, while the implementation can be loaded
into a child ClassLoader for maximum cooperation (in case the service
No, I fixed the build system last time to support Java 5 language
features, I don't have the time or inclination to fix it again.
ClassDep needs to be able to find dependencies by analysing byte code.
So to support finding dependencies for Java 8 language features, someone
will need to add
+1 Peter.
On 13/02/2014 2:09 AM, Simon IJskes - QCG wrote:
On 12-02-14 17:00, Greg Trasuk wrote:
OK, fair enough. I’ll close this issue and open another one that
just makes sure the jars aren’t in the source distribution (that _is_
an Apache requirement) without adding Ivy.
+1
In
Original Message
Subject:Re: P2P Internet Services - no code downloads, lambda's
Date: Wed, 05 Feb 2014 22:44:54 +1000
From: Peter Firmstone j...@zeus.net.au
To: Greg Trasuk tras...@stratuscom.com
I agree regarding SOAP and River needing to be easier
Results:
+1 Peter Firmstone (PMC)
+1 Bishnu Prasad Gautam
+1 Luis Matta
Abstain:
Greg Trasuk
I would have liked to see more participation from PMC members, since
this is a vote on a procedural matter and as there have been no
objections after 72 hours, under Apache voting rules it passes.
Notes:
ServiceDiscoveryManager
NotifyEventTask
If the task list contains any RegisterListenerTasks
or LookupTasks associated with this task's lookup service
(ProxyReg), and if those tasks were queued prior to this
task (have lower sequence numbers), then run those tasks
before
Rather than discuss specific instances where I've made changes to ensure
an object reference doesn't escape during construction, I figure it
would be more constructive to discuss final fields themselves.
Some of the arguments against using Startable were based on timing when
references to
Vote results in chronical order, after 72 hours:
+1 Peter Firmstone
+1 Simon IJskes
+0 Greg Trasuk
According to our rules that's one vote short for inclusion into the Jini
Specification.
On this occassion there was interest in developing a more comprehensive
standard for starting services
,
Peter Firmstone.
, by consulting
experts in each field relating to a bug?
Do you support theory based development?
+1 Peter Firmstone.
With TaskManager.Task.runAfter, throughput wasn't significant enough for
this race to occur.
If I make the ExecutorService single threaded, the error doesn't occur
as the tasks are executed in correct dependency order, however, when the
ExecutorService has a lot of threads ready, the tasks
Two emails are worth reflecting on, as is River-344, this relates to
replacing TaskManager with ExecutorService.
http://mail-archives.apache.org/mod_mbox/river-dev/201107.mbox/%3cbb4ad312-53c1-4ce6-9bff-01e5cc344...@sorcersoft.org%3e
101 - 200 of 522 matches
Mail list logo