8 Replies Latest reply on Nov 24, 2008 10:18 AM by dmlloyd

    Remoting 3: Secure Remote Classloading (JBREM-929)

    dmlloyd

      Various parties have already pointed out the security concerns with the existing remote classloading system and the need to better integrate with the AS classloader system.

      There are (at least) three points where security is significant to remote classloading.

      (1) The loading endpoint needs to be able to control whether or not a given class may be remotely loaded from a given peer, and by whom. This could possibly be implemented as some sort of permission, with parameters to specify what range of classes the permission applies to and what remote services may be loaded from. In addition it might be beneficial to have a global "off switch" as an easy way to secure an endpoint.

      (2) The loading endpoint needs to be able to assign permissions to the loaded class. This should be doable using the client's security policy mechanism, preferably using some type of codeBase URL that is able to specify the source of the loaded class.

      (3) The endpoint from which the classes are sent needs to be able to restrict the scope of what classes are made available to the client, so as not to "leak" any potentially sensitive classes. This could possibly function at a module granularity (JAR file) or at a package/class granularity.

      A quick note - in Remoting 3, classes may conceptually be sent either from client to server (as part of a request) or from server to client (as part of a reply).

      Here's a couple proposals for how to implement it.

      (1) A Remote VFS scheme

      This solution entails creating a VFS plugin that uses Remoting to load resources ("vfsremote:<remoting-service-URI>" perhaps). A Remoting service would be created which exports some subset of one system's VFS. A client would then connect to this service, creating a VFS view of the remote system. Then a classloader which includes a VFSClassLoader referencing this view is created and injected into the Remoting client configuration (specifically, as the classloader used by the ClassResolver of the MarhsallerFactory). This can then be secured by using a VFS codeBase URL (assuming we get that working, which I'm confident is possible, one way or another).

      Pros: very elegant. Uses all our various cool JBoss doodads together. No enhancements to the Remoting codebase are necessary. No new classloader implementations are needed. Avoids the various issues that have come up with the current implementation. Uses standard security configuration. Possibly has other uses outside of remote classloading.
      Cons: standalone clients might be very complex, having to include a bunch of our classloading and VFS stuff in order to gain access to the remote classes/jars/etc. We would need to devise a way to simplify client configuration as well - maybe even producing a special API for writing simple clients which preconfigures all this stuff at once.

      (2) A RemoteClassLoader implementation

      With this solution, we create a ClassLoader implementation which uses a custom remote classloading service. The server side would wrap one or more ClassLoader instance(s) to which class lookups are delegated.

      Pros: simpler for clients - they'd just have to create a RemoteClassLoader implementation.
      Cons: there are a lot of features in classloaders that do not have a clear mapping across a remote channel. Getting resources, packages, and security manager considerations all weigh in to this. I would expect a lot more design bugs with this approach compared to implementation bugs.

      Thoughts?

        • 1. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
          sguilhen

          David, I really like the Remote VFS strategy. Even though I'm not sure about securing a codebase URL, I think the advantages of the remote VFS scheme far outweighs the disadvantages (having to provide some API for clients that would ease the configuration process). Besides being an elegant solution, it looks to me that it fits our needs better than the remote classloader approach. I am not an expert on VFS, but if you think this approach is feasible then I suggest we go with that.

          • 2. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
            alesj

             

            "david.lloyd@jboss.com" wrote:

            (1) A Remote VFS scheme

            Can you post some pseudo code on the subject,
            as I have no clue about remoting, but I know a thing or two on VFS. :-)


            • 3. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
              starksm64

              The server side implementation should just be a delegating class loading domain that has a restricted set of package/class exports. It delegates to the deployment class loading domain.

              Either a remote VFSClassLoader or RemoteClassLoader point to the delegating domain. I don't see much difference between these two class loaders. Both have to access the vfsremote:uuid-of-deployment-delegate-class-loading-domain to do any work.

              • 4. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
                dmlloyd

                 

                "alesj" wrote:
                "david.lloyd@jboss.com" wrote:

                (1) A Remote VFS scheme

                Can you post some pseudo code on the subject,
                as I have no clue about remoting, but I know a thing or two on VFS. :-)


                Basically it would work like this. On the client you'd have a deployable configuration for remote VFS. The configuration would accept a name for the remote VFS which would be used in the uri (e.g. "vfsremote://my-remote-vfs/the/path"), and would also be used as the group name for the VFS service (so that there could be more than one provider for the same remote VFS service within a cluster, for example).

                Then for every provider of that VFS instance, there would be a Remoting service deployed which would handle the forwarded VFS calls.

                One interesting aspect of this is that if a node uses a vfsremote that is actually located on the same node, then the usual call-by-reference optimization takes place; it should not be too much more expensive than a regular local access.

                Make sense?


                • 5. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
                  alesj

                   

                  "david.lloyd@jboss.com" wrote:

                  Make sense?

                  Yup.
                  I figured it was something like that.

                  I'll restructure VFS project so we can have something like this:
                  - vfs core-spi
                  - vfs core-impl
                  - vfs remoting
                  - vfs cache
                  - vfs ...

                  But only after I get 2.0.0.GA out.
                  Which should be these days.

                  • 6. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
                    dmlloyd

                    Thinking about it more, I think that vfsremote could be much like vfsmemory, except that if a class is missing, it is fetched remotely.

                    Especially if vfsmemory could have a specifiable authority name. Hint hint. :-)

                    • 7. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
                      alesj

                       

                      "david.lloyd@jboss.com" wrote:

                      Especially if vfsmemory could have a specifiable authority name. Hint hint. :-)

                      No. ;-)
                      I think having separate protocol for remoting and in-memory is better concept wise.
                      We could independently develop features, but not over doing it on the API.
                      And I guess we'll have to depend on JBoss Remoting for vfs remoting,
                      where in-memory is dependency free.

                      • 8. Re: Remoting 3: Secure Remote Classloading (JBREM-929)
                        dmlloyd

                        I never said they would be the same protocol. I merely implied that I could steal a lot of code/ideas from vfsmemory :)