Wade Chandler wrote:
From: Gregg Wonderly
Well one issue with netbeans is the fact that it doesn't have a real
SecurityManager implementation. It's not pluggable either. That means that if
I put together a Jini module for netbeans, and it has discovery and code
download in it, I am opening the users to viral services. That door has to be
closed. I brought it up more than a year ago. I haven't had any chance to work
on this issue with the dev team, other than some discussion that melted away.
Hmm. I'm missing your point here.
If you create a Jini module that runs inside of the IDE, and that module does
service discovery, to allow you to select from a list of visible services, which
service you want to interact with, it must instantiate every service object
discovered (MarshalledObject.get()) before it will present any of the results of
the service discovery.
If you look at the API for ServiceRegistrar.lookup() (there are two instances),
you can see that either you get a live Object that is the service proxy, or
you get a ServiceMatches with an array of ServiceItem, each of which has a
".service" member with a live object. This means that if you have no security
enabled, I can put a rogue lookup server on the network (where your lookup can
see it), and register viral services in it. When you find one of those
services, and it deserializes, the readObject() or readExternal() runs, and I
can do whatever I want, based on the active security manager, even though you
might not elect to use the service and call any methods on it.
The netbeans security manager does next to no file access checks because that
was seen as a performance problem. But they have to have a security manager
active to do RMI calls, so they hacked a SecurityManager together that leaves
things pretty open last I looked.
This is why we must have the ability to do lookup without unmarshalling in order
for users to have half a chance at safely doing anything without full JERI
security turned on. It must be possible to guarantee "nothing unexpected", or
we'll just be the next Microsoft...
Gregg Wonderly
