diff --git a/jetty-policy/src/main/java/org/eclipse/jetty/policy/JettyPolicy.java b/jetty-policy/src/main/java/org/eclipse/jetty/policy/JettyPolicy.java index c908886834c..3b439758f92 100644 --- a/jetty-policy/src/main/java/org/eclipse/jetty/policy/JettyPolicy.java +++ b/jetty-policy/src/main/java/org/eclipse/jetty/policy/JettyPolicy.java @@ -29,9 +29,9 @@ import java.security.Policy; import java.security.Principal; import java.security.ProtectionDomain; import java.util.ArrayList; -import java.util.Collections; import java.util.Enumeration; import java.util.HashMap; +import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -40,6 +40,7 @@ import java.util.Set; import org.eclipse.jetty.policy.loader.DefaultPolicyLoader; import org.eclipse.jetty.util.Scanner; + /** * Policy implementation that will load a set of policy files and manage the mapping of permissions and protection domains * @@ -60,7 +61,9 @@ public class JettyPolicy extends Policy // Policy files that are actively managed by the aggregate policy mechanism private final Set _policies; - private final Map pdMapping = Collections.synchronizedMap(new HashMap()); + private final Set _grants = new HashSet(); + + private final Map _cache = new HashMap(); private final PolicyContext _context = new PolicyContext(); @@ -90,44 +93,52 @@ public class JettyPolicy extends Policy { if (!initialized) { - synchronized (this) - { - refresh(); - } + + refresh(); } - PermissionCollection perms = new Permissions(); - - synchronized (pdMapping) + if (_cache.containsKey(domain)) { - for (Iterator i = pdMapping.keySet().iterator(); i.hasNext();) + return _cache.get(domain); + } + + synchronized (_cache) + { + // check if it was added in since we obtained lock + if (_cache.containsKey(domain)) { - ProtectionDomain pd = i.next(); + return _cache.get(domain); + } + + PermissionCollection perms = new Permissions(); + + for (Iterator i = _grants.iterator(); i.hasNext();) + { + PolicyBlock policyBlock = i.next(); + ProtectionDomain grantPD = policyBlock.toProtectionDomain(); if (__DEBUG) { System.out.println("----START----"); - System.out.println("PDCS: " + pd.getCodeSource()); + System.out.println("PDCS: " + policyBlock.getCodeSource()); System.out.println("CS: " + domain.getCodeSource()); } // 1) if protection domain codesource is null, it is the global permissions (grant {}) // 2) if protection domain codesource implies target codesource and there are no prinicpals // 2) if protection domain codesource implies target codesource and principals align - if (pd.getCodeSource() == null || pd.getCodeSource().implies(domain.getCodeSource()) && pd.getPrincipals() == null || pd.getCodeSource().implies(domain.getCodeSource()) && validate(pd.getPrincipals(),domain.getPrincipals())) + if (grantPD.getCodeSource() == null || grantPD.getCodeSource().implies(domain.getCodeSource()) && grantPD.getPrincipals() == null || grantPD.getCodeSource().implies(domain.getCodeSource()) + && validate(grantPD.getPrincipals(),domain.getPrincipals())) { - // gather dynamic permissions - if (pdMapping.get(pd) != null) + + for (Enumeration e = policyBlock.getPermissions().elements(); e.hasMoreElements();) { - for (Enumeration e = pdMapping.get(pd).getPermissions().elements(); e.hasMoreElements();) + Permission perm = e.nextElement(); + if (__DEBUG) { - Permission perm = e.nextElement(); - if (__DEBUG) - { - System.out.println("D: " + perm); - } - perms.add(perm); + System.out.println("D: " + perm); } + perms.add(perm); } } if (__DEBUG) @@ -135,10 +146,11 @@ public class JettyPolicy extends Policy System.out.println("----STOP----"); } } + + _cache.put(domain,perms); + + return perms; } - - return perms; - } @Override @@ -152,45 +164,56 @@ public class JettyPolicy extends Policy } } - PermissionCollection perms = new Permissions(); - - synchronized (pdMapping) + if (_cache.containsKey(codesource)) { - for (Iterator i = pdMapping.keySet().iterator(); i.hasNext();) - { - ProtectionDomain pd = i.next(); + return _cache.get(codesource); + } - if (pd.getCodeSource() == null || pd.getCodeSource().implies(codesource)) + synchronized (_cache) + { + // check if it was added in since we obtained lock + if (_cache.containsKey(codesource)) + { + return _cache.get(codesource); + } + + PermissionCollection perms = new Permissions(); + + for (Iterator i = _grants.iterator(); i.hasNext();) + { + PolicyBlock policyBlock = i.next(); + ProtectionDomain grantPD = policyBlock.toProtectionDomain(); + + if (grantPD.getCodeSource() == null || grantPD.getCodeSource().implies(codesource)) { if (__DEBUG) { System.out.println("----START----"); - System.out.println("PDCS: " + pd.getCodeSource()); + System.out.println("PDCS: " + grantPD.getCodeSource()); System.out.println("CS: " + codesource); } - // gather dynamic permissions - if (pdMapping.get(pd) != null) + + for (Enumeration e = policyBlock.getPermissions().elements(); e.hasMoreElements();) { - for (Enumeration e = pdMapping.get(pd).getPermissions().elements(); e.hasMoreElements();) + Permission perm = e.nextElement(); + if (__DEBUG) { - Permission perm = e.nextElement(); - if (__DEBUG) - { - System.out.println("D: " + perm); - } - perms.add(perm); + System.out.println("D: " + perm); } + perms.add(perm); } + if (__DEBUG) { System.out.println("----STOP----"); } } } + + _cache.put(codesource,perms); + + return perms; } - - return perms; - } private static boolean validate(Principal[] permCerts, Principal[] classCerts) @@ -222,7 +245,7 @@ public class JettyPolicy extends Policy } @Override - public void refresh() + public synchronized void refresh() { try @@ -237,38 +260,43 @@ public class JettyPolicy extends Policy System.out.println("refreshing policy files"); } - synchronized (pdMapping) + Set clean = new HashSet(); + + for (Iterator i = _policies.iterator(); i.hasNext();) { - pdMapping.clear(); + File policyFile = new File(i.next()); - for (Iterator i = _policies.iterator(); i.hasNext();) - { - File policyFile = new File(i.next()); - pdMapping.putAll(DefaultPolicyLoader.load(new FileInputStream(policyFile),_context)); - } - - if (__DEBUG) - { - System.out.println("resetting policies"); - - System.setSecurityManager(null); - Policy.setPolicy(null); - Policy.setPolicy(this); - System.setSecurityManager(new SecurityManager()); - - // System.setSecurityManager(null); - // Policy.setPolicy(null); - // Policy.setPolicy(this); - // System.setSecurityManager(new SecurityManager()); - - // for (Iterator i = pdMapping.keySet().iterator(); i.hasNext();) - // { - // System.out.println(i.next().toString()); - // } - - System.out.println("finished reloading policies"); - } + clean.addAll(DefaultPolicyLoader.load(new FileInputStream(policyFile),_context)); } + + synchronized (_cache) + { + _grants.clear(); + _grants.addAll(clean); + + //for (Iterator i = _cache.values().iterator(); i.hasNext();) + //{ + // i.next().toString(); + //} + + _cache.clear(); + } + + if (__DEBUG) + { + // System.setSecurityManager(null); + // Policy.setPolicy(null); + // Policy.setPolicy(this); + // System.setSecurityManager(new SecurityManager()); + + // System.setSecurityManager(null); + // Policy.setPolicy(null); + // Policy.setPolicy(this); + // System.setSecurityManager(new SecurityManager()); + + System.out.println("finished reloading policies"); + } + } catch (Exception e) { @@ -277,11 +305,17 @@ public class JettyPolicy extends Policy } /** - * TODO make this optional + * TODO make this optional MUST be only called from refresh or race condition */ - private void initialize() throws Exception + private synchronized void initialize() throws Exception { + // if we have been initialized since we got lock, return + if (initialized) + { + return; + } + List scanDirs = new ArrayList(); for (Iterator i = _policies.iterator(); i.hasNext();) @@ -300,7 +334,10 @@ public class JettyPolicy extends Policy public void fileChanged(String filename) throws Exception { - refresh(); + if (filename.endsWith("policy")) + { + refresh(); + } } public void fileAdded(String filename) throws Exception @@ -321,13 +358,12 @@ public class JettyPolicy extends Policy PrintWriter write = new PrintWriter(out); write.println("dumping policy settings"); - synchronized (pdMapping) + synchronized (_cache) { - for (Iterator i = pdMapping.keySet().iterator(); i.hasNext();) + for (Iterator i = _cache.keySet().iterator(); i.hasNext();) { - ProtectionDomain domain = i.next(); - PolicyBlock block = pdMapping.get(domain); - write.println(domain.toString()); + Object o = i.next(); + write.println(o.toString()); } } write.flush(); diff --git a/jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyBlock.java b/jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyBlock.java index 0b5c894fe31..e3ee8e38b14 100644 --- a/jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyBlock.java +++ b/jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyBlock.java @@ -45,7 +45,9 @@ public class PolicyBlock // } // else // { - protectionDomain = new ProtectionDomain( codesource, permissions, Thread.currentThread().getContextClassLoader(), principals ); + protectionDomain = new ProtectionDomain(codesource,null,Thread.currentThread().getContextClassLoader(),principals); + + // protectionDomain = new ProtectionDomain( codesource, permissions, Thread.currentThread().getContextClassLoader(), principals ); // } } diff --git a/jetty-policy/src/main/java/org/eclipse/jetty/policy/loader/DefaultPolicyLoader.java b/jetty-policy/src/main/java/org/eclipse/jetty/policy/loader/DefaultPolicyLoader.java index f346c6c9bce..ba43ac44200 100644 --- a/jetty-policy/src/main/java/org/eclipse/jetty/policy/loader/DefaultPolicyLoader.java +++ b/jetty-policy/src/main/java/org/eclipse/jetty/policy/loader/DefaultPolicyLoader.java @@ -22,16 +22,15 @@ package org.eclipse.jetty.policy.loader; import java.io.InputStream; import java.io.InputStreamReader; import java.security.KeyStore; -import java.security.ProtectionDomain; import java.util.ArrayList; import java.util.Collection; -import java.util.HashMap; +import java.util.HashSet; import java.util.Iterator; import java.util.List; -import java.util.Map; +import java.util.Set; -import org.eclipse.jetty.policy.PolicyContext; import org.eclipse.jetty.policy.PolicyBlock; +import org.eclipse.jetty.policy.PolicyContext; import org.eclipse.jetty.policy.PolicyException; import org.eclipse.jetty.policy.entry.GrantEntry; import org.eclipse.jetty.policy.entry.KeystoreEntry; @@ -43,9 +42,9 @@ import org.eclipse.jetty.policy.entry.KeystoreEntry; public class DefaultPolicyLoader { - public static Map load( InputStream policyStream, PolicyContext context ) throws PolicyException + public static Set load( InputStream policyStream, PolicyContext context ) throws PolicyException { - Map policies = new HashMap(); + Set policies = new HashSet(); KeyStore keystore = null; try @@ -83,7 +82,7 @@ public class DefaultPolicyLoader policy.setPrincipals( grant.getPrincipals() ); policy.setPermissions( grant.getPermissions() ); - policies.put( policy.toProtectionDomain(), policy ); + policies.add(policy); } return policies; diff --git a/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyRuntimeTest.java b/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyRuntimeTest.java index ad3b15961ac..42eb5212429 100644 --- a/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyRuntimeTest.java +++ b/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyRuntimeTest.java @@ -174,7 +174,7 @@ public class JettyPolicyRuntimeTest extends TestCase URL url = MavenTestingUtils.toTargetURL("test-policy/jetty-test-policy.jar"); - System.out.println( "IN HERE: " + url.toString()); + // System.out.println( "IN HERE: " + url.toString()); URLClassLoader loader ; if (Thread.currentThread().getContextClassLoader() != null ) diff --git a/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyTest.java b/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyTest.java index 179113b8aed..19d1cd82ecc 100644 --- a/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyTest.java +++ b/jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyTest.java @@ -132,7 +132,7 @@ public class JettyPolicyTest extends TestCase public void testSCLoader() throws Exception { - JettyPolicy ap = new JettyPolicy(Collections.singleton(getWorkingDirectory() + "/src/main/config/lib/policy"),evaluator); + JettyPolicy ap = new JettyPolicy(Collections.singleton(getWorkingDirectory() + "/src/main/config/lib/policy/jetty.policy"),evaluator); ap.refresh(); ap.dump(System.out);