Mobile code
SOFTENG 325
Software Architecture
Motivation
You want to design and implement a distributed application that
allows arbitrary tasks to be executed by a compute service
The server machine may provide high-performance processing
capabilities
The server may provide access to specialist hardware
Desktop PC High performance computer
execute-task
Client JVM Server JVM
result
SE 325 Mobile Code 2
java.rmi.server.UnicastRemoteObject «interface» «interface»
java.rmi.Remote java.io.Serializable
«interface» «interface»
Compute Task
+executeTask(in t : Task) : Object +execute() : Object
ComputeEngine Task is intended to be
implemented by classes whose
+main()
instances represent units of
work to be processed by the
Remote object implementation which also acts as a service.
server program. Running the program causes the
ComputeEngine class to be instantiated and its stub
registered with the naming service. ComputeEngine is a generic
compute-engine class,
instances of which run on a
high performance machine and
process Task objects.
SE 325 Mobile Code 3
Client
The Compute and «interface» «interface»
java.io.Serializable
java.rmi.Remote
Task interfaces are
published to
prospective users of
the compute service «interface» «interface»
Using these a client Compute
+executeTask(in t : Task) : Object
Task
+execute() : Object
is independently
implemented
The client’s Task
ComputePi Pi
computes the
value of to a +Pi(in digits : int)
specified number
of decimal places Client program - instantiates the Pi class and sends the
instance to a remote object whose class implements
compute.
SE 325 Mobile Code 4
System operation Deployed with: Compute,
Task
ComputeEngine_Stub,
ComputeEngine_Skel and
Deployed with: ComputeEngine
Compute, Task
ComputeEngine_Stub,
ComputePi and Pi
Desktop PC High performance computer
Client JVM 2: execute( new Pi( 10 ) ) Server JVM
Registry JVM
1: lookup( “compute” )
What will happen in response Deployed with:
to the client’s execute( ) Compute, Task
request? ComputeEngine_Stub
SE 325 Mobile Code 5
Mobile code
What is required is a means to transmit not just objects
between JVMs, but their associated bytcode
The Java RMI middleware supports mobile code by:
Customising the serialization process
When an object is serialized, additional meta-data can be written
comprising a URL identifying from where the object’s corresponding
class files can be downloaded
This extra data is known as a codebase annotation
Employing class servers
A class server is expected to implement either the FTP or HTTP
protocol
SE 325 Mobile Code 6
Initial
deployment
Server computer
Registry JVM
Compute
Task
ComputeEngine JVM
ComputeEngine_Stub
ComputeEngine
Client computer Compute
Compute HTTP server Task
Client JVM Task ComputeEngine_Stub
ComputePi
Pi
Pi
HTTP server
SE 325 Mobile Code 7
Server computer
Compute
3: lookup( “compute” )
Registry JVM Task
ComputeEngine_Stub
1: bind( “compute”, … )
Compute
5: execute( new Pi( 20 ) ) Task
ComputeEngine JVM
ComputeEngine_Stub
ComputeEngine
Pi
4: GET ComputeEngine_Stub.class
Client computer ComputeEngine_Stub Compute
Compute HTTP server Task
Client JVM Task ComputeEngine_Stub
ComputePi
Pi 2: GET Compute.class
GET Task.class
GET ComputeEngine_Stub.class
Pi
HTTP server
6: GET Pi.class
SE 325 Mobile Code 8
Specifying codebase
The codebase for each JVM can be specified at start-up
time
java –Djava.rmi.server.codebase=
The URL specifies where class files for objects
originating from this JVM can be downloaded
java –Djava.rmi.server.codebase="http://130.218.40.91:2010/"
In this case, class files can be downloaded from a HTTP server
running on machine 130.218.40.91 and listening on port 2010
With the codebase property set, the JVM, when
serializing an object, will add the codebase value to the
serialized form of the object
SE 325 Mobile Code 9
Dynamic class loading
Cautionary note:
If classes are stored locally, they will be used regardless of
any codebase data received in serialized data
This means that if you statically deploy stub classes with the
Registry, the Registry will use them to deserialize any stub
objects it receives
The Registry will not dynamically download the classes and it will
not keep a record of the codebase annotation
Subsequently, if a client acquires a stub object from the
Registry, the Registry will send the stub without a codebase
annotation
A RemoteException will be thrown in response to the client’s lookup
call since it will not be able to locate the stub class necessary to
deserialize the stub
SE 325 Mobile Code 10
Mobile code: a security threat
Web server
Desktop PC
Web browser GET Web server
JVM
read
delete
Server
Hard disk
To combat security risks associated with mobile code, we browsers
executing downloaded code in a sandbox. A sandbox restricts what
downloaded code can do when executed, e.g. preventing access to
local resources and sockets etc.
SE 325 Mobile Code 11
Mobile code with Java RMI
Client When using dynamic class
loading in Java RMI, code
moves between JVMs with
ComputeEngine_Stub
Pi less-defined patterns than with
downloading applets;
instances of different classes
Registry have different needs
ComputeEngine_Stub objects
needs to be able to initiate a
ComputeEngine_Stub socket connection from any
machine to the Server
machine
Server The Pi Task needs no special
privileges – Pi instances can
do their job without accessing
A security mechanism with finer any special resources
granularity than a basic sandbox is
required for Java RMI applications.
SE 325 Mobile Code 12
Java’s security model
Philosophy
Employ the most restrictive sandbox and explicitly grant specific
permissions to particular codebases to relax the sandbox
Permission categories comprise:
AWT (and Swing) Property
File Reflection
Network Run-time
Socket Serialization
A socket permission declaration associates a set of
computer addresses and a range of ports with permitted
socket operations
grant {
permission java.net.SocketPermission “*.oreilly.com:1024-”, “connect, accept”;
};
Permission type Operand(s) Permitted operations
SE 325 Mobile Code 13
Security Managers
Within a JVM, permissions are enforced by an instance of
SecurityManager (or any subclass)
If a SecurityManager is not set, any class is permitted to perform
any operation
If a SecurityManager is set, it uses a specified policy file to
determine whether a particular class can perform an operation that
requires permission
SecurityManager
SecurityException
+checkAccept(in host : String, in port : int)
+checkConnect(in host : String, in port : int)
+checkDelete(in fileName : String)
+checkRead(in fileName : String)
+checkWrite(in fileName : String)
To use Java RMI’s mobile code
functionality, SecurityManager must
be set in the JVM that is to load
classes dynamically.
java.rmi.RMISecurityManager A suclass of SecurityManager which does not actually
override or add functionality to SecurityManager.
SE 325 Mobile Code 14
Installing a SecurityManager
/* Class ComputeEngine */
public static void main( String[ ] args ) {
if ( System.getSecurityManager( ) == null ) {
System.setSecurityManager( new RMISecurityManager( ) );
}
String name = "Compute";
try {
Compute engine = new ComputeEngine( );
Naming.rebind(name, engine);
System.out.println( "ComputeEngine bound“ );
} catch ( Exception e ) {
System.err.println( "ComputeEngine exception: " + e.getMessage( ) );
e.printStackTrace( );
}
}
Once set, it is an error to attempt to set a SecurityManager again!
SE 325 Mobile Code 15
Security Managers
Standard JDK classes are implemented to ask the
SecurityManager, if one is set, whether a questionable
operation should be performed
private Socket( InetAddress address, int port, InetAddress localAddr,
int localPort, boolean stream ) {
this( );
if( port oxFFFF ) {
throw new IllegalArgumentException( “port out of range: “ + port );
}
if( localPort 0xFFFF ) {
throw new IllegalArgumentException( “port out of range: “ + localPort );
}
SecurityManager security = System.getSecurityManager( );
if( security != null ) {
security.checkConnect( address.getHostAddress( ), port );
}
}
SE 325 Mobile Code 16
SecurityManager behaviour
When a class executes
java.lang.SecurityManager.checkConnect a SecurityManager
method, the
java.net.Socket.connect SecurityManager
. traverses the entire
. stack trace
. If at least one class on
sun.rmi.registry.RegistryImpl_Stub.rebind the call stack is not
granted the required
java.rmi.rebind permission (e.g. socket
connect), the
ComputeEngine.main SecurityManager
throws an exception
SE 325 Mobile Code 17
A security policy file
Permissions granted to all classes dynamically loaded from the HTTP server
running on machine 127.0.0.1. Allow these classes to make socket connections
to any machine using port numbers in the range 1024 to 65535.
grant codeBase "http://127.0.0.1:2010" {
permission java.net.SocketPermission "*:1024-65535", "connect";
};
grant codeBase "file:${user.dir}/dist/-" {
permission java.security.AllPermission;
};
Allow classes loaded locally from the filesystem to
perform all operations.
An installed SecurityManager consults the content of
a policy file in response to a check… method call.
SE 325 Mobile Code 18
URL of HTTP server that serves
Client JVM Client’s .class files policy/
java –jar dist/client.jar java.policy
–Djava.rmi.server.codebase=http:127.0.0.1:2020
–Djava.security.policy=policy/java.policy lib/
127.0.0.1
IP address of machine running the Registry classServer.jar
20 (and consequently the server too)
# decimal places to calculate PI dist/
ComputeEngine JVM URL of HTTP server that serves client.jar
ComputeEngine server’s .class files
java –jar dist/server.jar server.jar
–Djava.rmi.server.codebase=http:127.0.0.1:2010 httpForClient/
–Djava.security.policy=policy/java.policy Security policy file
Client computer
–Djava.rmi.server.hostname=127.0.0.1 httpForServer/
Store necessary .class files to be
served by HTTP servers
HTTP server HTTP server
Registry JVM
Server computer
(for client) (for server)
java –jar lib/classServer.jar set classpath= java –jar lib/classServer.jar
2020 rmiregistry 2010
dist/httpForClient dist/httpForServer
Port to listen for incoming HTTP Ensures the Registry has Directory to read from when
requests access to no local class files. responding to HTTP requests
SE 325 Mobile Code 19