On 4 January 2011 12:04, Peter Firmstone <[email protected]> wrote: > Dan Creswell wrote: > >> So.... >> >> On 3 January 2011 22:31, Peter Firmstone <[email protected]> wrote: >> >> >> >>> Dan Creswell wrote: >>> >>> >>> >>>> Hi Peter, >>>> >>>> >>>> On 3 January 2011 01:56, Peter Firmstone <[email protected]> wrote: >>>> >>>> >>>> >>>> >>>> >>>>> I'm currently experimenting with a modular build, I've laid out the >>>>> framework in skunk and I've got a local build where I'm trying to >>>>> define >>>>> what to include in the platform. >>>>> >>>>> The most obvious is to create the platform module based on what's >>>>> included >>>>> in jsk-platform.jar >>>>> >>>>> As has been pointed out there's also jsk-lib.jar and jsk-dl.jar >>>>> >>>>> Services that utilise the jsk-lib also need to have jsk-dl in their >>>>> codebase for clients to download. >>>>> >>>>> There are also a number of utility classes shared by service >>>>> implementations, included in their proxy's and it wouldn't make sense >>>>> to >>>>> have these duplicated in each service implementation for maintenance >>>>> reasons. This also presents an interesting situation, when these >>>>> classes >>>>> already exist in the client's classpath, the additional classes are not >>>>> loaded into the proxy classloader, since the parent classloader can >>>>> resolve >>>>> them, however that could also introduce versioning conflicts, if we >>>>> have >>>>> a >>>>> library that experiences version changes over time. There's nothing >>>>> currently that prevents a client from also utilising these library >>>>> classes. >>>>> >>>>> >>>>> >>>>> >>>>> >>>> I think the general solution for much of the versioning comes down to >>>> "proper" use of PreferredClassLoader. >>>> >>>> I think probably anything that is generally required/assumed by all of >>>> service, proxy and client is platform. Utility classes for service >>>> implementations you discuss above possibly aren't platform unless they >>>> are >>>> used by all services always. >>>> >>>> >>>> >>>> >>>> >>>> >>>>> This is why I think the client needs to be provided with a standard way >>>>> of >>>>> being run from a child classloader of the jini platform class loader, >>>>> in >>>>> this way, a service, proxy and client running within the same jvm, only >>>>> share the jini platform (& policy) classes, everything else becomes a >>>>> private implementation concern, including which version of a library to >>>>> use. >>>>> >>>>> >>>>> >>>>> >>>>> >>>> I imagine that the Service Starter framework would provide support for >>>> most >>>> of that already. Would still need some tweaks though.... >>>> >>>> >>>> >>>> >>> Penny for your thoughts on tweaks? >>> >>> >>> >>> >>> >> Only a foggy thought about the current set of ServiceDescriptors and >> whether >> they are best for clients. I could imagine using (and have used) a >> NonActivatableServiceDescriptor to fire up a client but the need for the >> object constructor as it is, the spec'ing of codebase and so on feels like >> overkill or at least there could be a simpler option for clients that >> don't >> have codebases etc. >> >> >> >> > > Ok, that sounds like a good starting point, thanks. > > >>> >>>> >>>> >>>>> From a versioning standpoint, we need a clean separation of name spaces >>>>> to >>>>> avoid runtime issues. >>>>> >>>>> Modularity will reduce the burden of maintenance, but only if done >>>>> properly. >>>>> >>>>> The most obvious places to break up the codebase are the points of >>>>> abstraction, where dynamic dependency injection is performed, these are >>>>> Jini >>>>> Services and Service Provider Interfaces (not to be confused with a >>>>> jini >>>>> service). >>>>> >>>>> From observing recent improvements, the classes in com.sun.* change >>>>> more >>>>> often than those in net.jini.*, this was my reasoning for suggesting >>>>> including all net.jini.* in the platform, because I wanted to know your >>>>> thoughts. But doing so may drag more of the com.sun.* namespace into >>>>> platform, which is bad, because these are then visible in all >>>>> namespaces. >>>>> >>>>> I've had thoughts of putting platform implementation classes into a >>>>> child >>>>> classloader, to make it invisible from client, proxy and service >>>>> namespaces, >>>>> but this also presents its challenges as it requires a superclass >>>>> present >>>>> in >>>>> the platform classloader. This is in some ways similar to the way OSGi >>>>> exports a package, while keeping implementation packages private. >>>>> Using >>>>> OSGi to control package visibility is one option, there's also netbeans >>>>> modularity or service providers. Of course mentioning these utilities >>>>> is >>>>> akin to provoking off topic arguments which shows how strongly people >>>>> feel >>>>> about River and Jini, but I'd first like to discuss the actual problem >>>>> and >>>>> listen to solutions. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Okay, so if we're going that way, we all should read Mike Warres' paper >>>> way >>>> back in the day that covers much of the classloader ball of mud, >>>> preferred >>>> class loading and outstanding issues: >>>> >>>> http://labs.oracle.com/techrep/2006/smli_tr-2006-149.pdf >>>> >>>> >>>> >>>> >>>> >>>> >>> Damn good suggestion, I was actually going over it again yesterday. >>> >>> Code base annotation loss is a big problem, when non preferred classes >>> are >>> resolved by the application class loader, that and code base location >>> changes over time and codebase configuration problems. >>> >>> Preferred class loading for preferred classes doesn't follow the rule of >>> delegating class loading first to the parent class loader. >>> >>> Preferred class loading is used when proxy classes also exist in the >>> parent >>> class loader. >>> >>> The best option appears to be to limit the classes in the application >>> class >>> loader to jini platform classes, this minimizes the classes that need to >>> be >>> preferred. >>> >>> One problem with using a child class loader for jini platform >>> implementation classes, is some of these classes may invariably be >>> serialized with api classes from the platform and need to be >>> deserialized, >>> if they're not visible to the application class loader... I've been >>> going >>> over these classes one by one, I'm not finding any serializable classes >>> yet... I'm starting to think a child class loader for the platform >>> implementation would be an unnecessary complication. >>> >>> Codebase services was intended to be a solution to codebase migration and >>> configuration issues, the codebase service was found using discovery. >>> >>> I've been having some thoughts about a custom URL handler, that utilises >>> DNS-SRV discovery to locate codebases. Each domain could provide a list >>> of >>> codebase servers, these could be redundant. >>> >>> A custom URL format could have the following information: >>> >>> * The domain in which to discover the codebase server. >>> * The jar archive name (or other file type name). >>> * A message digest of the file. >>> * A file size limit. (download is aborted after this limit is exceeded) >>> * A hashcode of the Server's Subject's certificate (the cert itself >>> could be too large) >>> >>> The Certificate hashcode provides an identity for the URL (which provides >>> a >>> reasonable probability of being unique when combined with other >>> information), we might consider using a Subject to uniquely identify a >>> ClassLoader namespace, to avoid class sharing between proxies with >>> identical >>> code, but different server subjects. The Subject certificate hashcode >>> would >>> need to be checked as part of the verification process, albeit after >>> unmarshalling. >>> >>> The problem here is we're bumping into the limitations of the java >>> platform, which the missing Isolates API was designed to address, >>> identical >>> classes could be used by separate identities in separate isolates. >>> >>> If we didn't have a hashcode relating to the server subject, would it be >>> reasonable to expect all servers from the same domain to have the same >>> server Subject? >>> >>> >>> >> >> No real comment other than to say, feels like a narrowing assumption that >> could provide a nasty surprise later so I would be inclined not to make >> it. >> >> >> >> > > My thoughts exactly, I wanted to see if someone else thought the same way. > > This is precisely what would occur if two different proxy's with different > Subject's used the same code base, how could we tell their ClassLoaders > apart? This might occur if we used maven to provision the codebase or used > DNS-SRV discovered codebase servers. > > Okay so I'm not sure maven and such are the trigger's for the above. It would be some conscious decisions someone had made about packaging and deployment, wouldn't it?
If two services and thus two proxies have the same codebase, someone is choosing to either: (1) Have multiple instances of the same service run off the same codebase - not sure of the value except maybe for load-handling. Single codebase for each service is potentially a single point of failure. (2) Have multiple services of different types sharing a codebase - well this could happen if: (a) We choose to leave all classes sitting under a URL in unjar'd state (we all know that means lots of roundtrips during class resolution etc and so generally it's not done) or (b) We're keeping multiple codebases inside of a single .jar (which increases the size of the download required for class resolution etc and makes version management a difficult affair as touching one service potentially impacts another). Now in case of (1) I cannot see any reason why one would have different subjects for each of those services. In essence they are the same service in all about UUID so housing their proxies in the same classloader on a client doesn't seem like a problem. In case (2), I think the obvious way to bundle a service, one jar for -dl and one jar for back-end is likely the prevailing one and these cases though they could occur would not be recommended practice. For maven, I can see how we could certainly build archetypes and such to support the recommended bundling approach. For DNS SRV, there are means by which codebase paths (.jars and such) can be put into the records such that we could still construct a unique codebase to pull from. In essence I think we might be solving a non-problem... But is a Certificate hashcode enough? > > My reasoning for using a Certificate hashcode, rather than a certificate: > > 1. Certificates are large, and would make Codebase URL debugging > output harder to understand. > Unless one builds tools to support this case. If it's a dominating case, that's what we'd have to do in any case I reckon so I'm not fearful. > 2. A Certificate cannot be checked until after proxy verification, it > would be unlikely that two different certificates would share the > same hashcode and codebase and be trusted by the client, but in > the case they do, a special ClassLoader might contain a reference > to the authenticated subject, enabling the client to check that a > proxy's objects unmarshalled into the classloader can be > authenticated as that subject. > > Typically a Service must authenticate as a Principal, during proxy > verification, the Principal is known prior to authentication and is set as a > min server principal constraint, the Subject and it's certificate are not > known until after authentication and after class loading. > > There is one more thing to consider. If a classloader namespace is already > in use for a proxy, and a new proxy is unmarshalled into this classloader, > that class loader has already been verified by another proxy, during the > period of unmarshalling, the classes in that class loader are trusted, > they're not local code, but they're trusted and permissions have been > granted to a Principal, assuming the code is trustworthy, it should be safe > to unmarshall unauthenticated proxy objects into this class loader, because > we trust the code and because if it isn't run as a subject during > unmarshalling, it doesn't gain any privileges. After unmarshalling if the > second proxy doesn't authenticate as the same Subject as the first, all > references to it should be set null and the garbage collector allowed to > collect it. Remember this is the case where proxy's share the same codebase > URL and Subject. > > In pepe/skunk, I have a backward compatible experimental MarshalledInstance > that contains a verifier proxy, used to authenticate the original creator of > the MarshalledInstance, here the Subject could be supplied to something > similar to RMIClassLoader, Gregg has donated his CodebaseAccessClassloader, > this could have a method added to accept a Subject along with the > annotation, or alternately classloading could be performed using the > Subject. This authenticated verifier proxy then verifies the codebase > annotation using a message digest. It is expected that the Subject would be > the same as that which authenticates the proxy and it's every method call on > the proxy. Authentication prior to unmarshalling remote code is intended to > avoid unmarshalling attacks. > > I plan to experiment, writing some more utility code, based on my proxy > isolate in skunk/pepe, that allows unmarshalling to be performed in an > isolated Thread, which catches a StackOverflowError, in the case of a remote > end deliberately sending a spuriously large object stream. Currently this > only handles the unmarshalling process (MarshalledInstance.get()), however > I'm looking at how to extend it to deserialization of MarshalledInstance > during discovery. > > But what about Exported objects, not discovered through a lookup service, > but returned from another Service, if these are from a different remote host > with a different Subject? > > All the above is a thought experiment, feel free to participate and correct > any errors or fallacies. > > Cheers, > > Peter. > >> Cheers, >>> >>> Peter. >>> >>> Then of course there's also the argument that we should do nothing, so >>> >>> >>>> consider this a thought experiment to discover how it might be done, not >>>>> that it will or must be, that can be decided later. >>>>> >>>>> What are your thoughts? >>>>> >>>>> Cheers, >>>>> >>>>> Peter. >>>>> >>>>> >>>>> Jeff Ramsdale wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Chiming in here, perhaps off topic... >>>>>> >>>>>> Sometime back (maybe within the past year?) there seemed to be >>>>>> agreement on removing the ClassPath manifest attributes moving forward >>>>>> in order to not make assumptions concerning relative jar locations >>>>>> (e.g. classpath built from local Maven repo). >>>>>> >>>>>> -jeff >>>>>> >>>>>> On Sun, Jan 2, 2011 at 8:36 AM, Greg Trasuk <[email protected]> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Sun, 2011-01-02 at 11:15, Tom Hobbs wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Am I right in thinking/remembering that, with the exception of the >>>>>>>> *-dl.jar files, the only others that are needed are the jsk-*.jar >>>>>>>> ones. >>>>>>>> >>>>>>>> I'm pretty sure that many of the JARs contain the same class files, >>>>>>>> I >>>>>>>> think that there's definitely scope to reduce the number JAR files >>>>>>>> that the build creates. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I think you might be mistaken about that. The *-dl.jar files often >>>>>>> contain duplications of classes in *.jar files, but that's reasonable >>>>>>> and expected. The few service implementation jar files that I've >>>>>>> looked >>>>>>> at contain ClassPath manifest attributes that reference jsk-lib etc. >>>>>>> >>>>>>> The only real duplication I'm aware of is in the jini-core.jar, >>>>>>> jini-ext.jar and sun-utils.jar files, that duplicate the contents of >>>>>>> jsk-platform and jsk-lib. This is done for backwards compatability >>>>>>> (that's the way it was in Jini 1.0-days), and could probably be >>>>>>> deprecated at this point, after consulting with the user community. >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Greg. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Sun, Jan 2, 2011 at 8:51 AM, Peter Firmstone <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I agree that dynamic proxy classes should remain dynamic downloads, >>>>>>>>> however >>>>>>>>> much of net.jini.* isn't in the jsk-platform.jar >>>>>>>>> >>>>>>>>> Should we expand the platform to contain all net.jini.*? >>>>>>>>> >>>>>>>>> Except for providers? (com.sun.jini.resource.Service, similar to >>>>>>>>> Java's >>>>>>>>> sun.misc.Service and java.util.ServiceLoader) >>>>>>>>> >>>>>>>>> Perhaps we can include more in the platform and reduce the number >>>>>>>>> of >>>>>>>>> jar >>>>>>>>> archives we've got? >>>>>>>>> >>>>>>>>> Any thoughts? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Peter. >>>>>>>>> >>>>>>>>> [email protected] wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Isn't that already jsk-platform.jar? I would object to anything >>>>>>>>>> that >>>>>>>>>> subverts the dynamic proxy loading concept that is central to >>>>>>>>>> Jini. >>>>>>>>>> It is imperative that people don't, for instance, get the >>>>>>>>>> service-registrar proxy impls in their local class path. That >>>>>>>>>> would >>>>>>>>>> break >>>>>>>>>> compatibility with future or alternate impls. >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> Greg >>>>>>>>>> ------Original Message------ >>>>>>>>>> From: Sim IJskes - QCG >>>>>>>>>> To: [email protected] >>>>>>>>>> ReplyTo: [email protected] >>>>>>>>>> Subject: river.jar >>>>>>>>>> Sent: Dec 31, 2010 10:07 AM >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> anybody have an objection against a river.jar in the build that >>>>>>>>>> contains >>>>>>>>>> all river runtime classes? >>>>>>>>>> >>>>>>>>>> Gr. Sim >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> >> >> > >
