On Monday 11 of October 2010 05:27:31 Peter Firmstone wrote:
> Michal Kleczek wrote:
> > Some more thoughts.
> >
> > There is one scenario that is not covered here:
> >
> > I get an service, verify the module that loads its class using a
> > ModuleAuthority that I trust. This service in turn downloads some other
> > objects that it verified. There is no way I can delegate trust
> > verification to the service - I must trust Modules (actually
> > ModuleAuthorities) of those subsequent objects.
> >
> > 1. I have to have a way to allow or disallow module trust delegation
> > (looks like a case for dynamic permission grants)
>
> Currently PreferredClassLoader uses DownloadPermission to prevent or
> allow a CodeSource class loading, because the CodeSource hasn't yet been
> loaded, we cannot dynamically grant DownloadPermission to a CodeSource,
> using DynamicPolicy.
Thanks for the hint.
I think Module trust delegation can be achieved in a really simple way:
class InstallModulePermission extends Permission {
}
//this TrustVerifier is installed locally on the client
//so that delegation of Module trust verification can be done
//by granting a service InstallModulePermission
public class InstallModulePermissionVerifier implements TrustVerifier {
private static final InstallModulePermission PERM =
new InstallModulePermission()
public boolean isTrustedObject(Object o, Context ctx) {
try {
if (o instanceof Module) {
AccessController.checkPermission(PERM);
return true;
}
return false;
}
catch (SecurityException e) {
return false;
}
}
}
What do you think?
Michal
