It seems like I am missing the high level view on the architecture of
your software.
Would it be possible for you to write one?
Peter wrote:
There's a new constraint AtomicInputValidation that jeri uses to prevent
standard serialization being used.
Reggie has been granted DownloadPermission and DeserializationPermission but
only for its own codebase.
I do not understand this.
How does the client know it is "Reggie" it is talking to?
How Reggie can grant itself permissions in the client environment???
Could you be more precise?
Reggie has also been granted necessary permissions to communicate with its
service. No perms have been granted allowing Reggie to do anything else
Reggie gives the client a dynamic proxy token (via SafeServiceRegistrar's
lookup method).
What is this "token"? Is it a Java object implementing a well known
interface? What interface is it?
If your class is a client class you can give it the power to open network
connections and do as you wish, but it's not a good idea to grant that power to
Reggie. But it's also worth remembering it's risky to deserialize into
privileged context and you're going to have to do that in this case.
I do not understand this. I the SmartProxyWrapper there are no
permissions granted to any downloaded code.
The code can be downloaded and classes defined only if the client
imposed constraints are met.
SafeServiceRegistrar will still allow you to use your wrapper class, it just
adds an additional step of allowing you to authenticate that service before you
deserialize your service wrapper, making it a little safer.
How???
By using the "token" you talk about earlier? But you have to verify the
token to be secure, don't you?
So you delegate "token" authentication to Reggie, but that requires
verification of Reggie proxy.
But how do you verify Reggie proxy?
Does Reggie also provide the "token"? If so - how is it authenticated?
If not - how do you authenticate reggie?
You have to break the chain somewhere - and the shorter the trust chain
the more secure system is.
You can grant permissions to services only to the codebase certificate signers
if you want. Using the url in the permission grant just restricts it more, but
it's not mandatory.
Fair enough.
The downside is that the permission check requires downloading the jar
file and reading it to verify the code signers.
In my proposal the check is done even before actual code downloading.
Thanks,
Michal
