org.apache.river.api.security

Interface RevocablePolicy

All Superinterfaces:

DynamicPolicy

All Known Implementing Classes:

DynamicPolicyProvider

public interface RevocablePolicy
extends DynamicPolicy

RevocablePolicy, is a Java Security Policy Provider that supports Runtime Dynamic addition and removal of PermissionGrant's

Warning: Not all Permission's are truly revocable, while any Permission can be dynamically added and later removed from this policy, many JVM Permission implementations are used in ways that allow references to escape

To quote Tim Blackman, from river-dev:

I remember talking with Bob and Mike Warres about this. The problem with removing permission grants is that when code is granted a permission, it can very likely squirrel away something -- an object, or another capability available through the granted permission -- that will permit it to perform the same operation again without the JVM checking for the permission again.

In order for a Permission to be fully revoked, the permission must be used to guard methods only, not Objects or their creation.

See "Inside Java 2 Platform Security" 2nd Edition, ISBN:0-201-78791-1, page 176.

A Security Delegate, may be used as a wrapper with an identical interface to the object it protects, a new Permission class must be implemented, for the Delegate's use, in a checkPermission call, to protect access to the underlying object's method. If an existing JVM Permission guards the underlying object, the delegate needs to be given the standard JVM Permission. DelegatePermission has been created for the purpose of encapsulating an existing Permission.

The ability to revoke a Permission fully is intended for smart proxy's to be given some trust temporarily, so that objects received from the smart proxy by a client cannot be used to continue gathering and sending information to a remote server after the proxy has been discarded.

A list of standard Java Permission's that are confirmed safely revocable will be provided here.

Since:

3.0.0

Author:

Peter Firmstone

See Also:

Policy, ProtectionDomain, AccessController, DomainCombiner, AccessControlContext, Permission, see DelegatePermission see DelegateSecurityManager

Method Summary

Modifier and Type	Method and Description
boolean	grant(PermissionGrant p) A dynamic grant.
boolean	revokeSupported() Checks if policy supports revocation.

Methods inherited from interface net.jini.security.policy.DynamicPolicy

getGrants, grant, grantSupported

Method Detail

grant

boolean grant(PermissionGrant p)

A dynamic grant. Caveat: Not all Permission's once granted can be revoked. When a Permission is checked, prior to passing a reference to a caller, that reference has escaped any further Permission checks, meaning that the Permission cannot be revoked for the caller holding a reference.

Parameters:

p - PermissionGrant to be granted.

Returns:

true if successful

Since:

3.0.0

revokeSupported

boolean revokeSupported()

Checks if policy supports revocation.

Returns:

true - If Revoke supported by underlying policy.

Since:

3.0.0