From: David H. Jr <dh...@hd...> - 2001-03-05 20:30:08
|
Hey Jythoneers, I am looking for ideas to deploy a distributed app in a secure fashion. We are using jython for the client gui and logic, and java for the server and communication framework. A few notes: 1) We are free to install JDK1.3 and Jython on all clients. 2) We must make sure a script can not be run if it has been modified. 3) We must be able to conveniently deliver new versions over the web, but we are flexible as to how. Obviously, a signed Jar is designed to solve these issues. Is there a way to deploy jython programs without compiling them and using a signed Jar? Thanks, Dave |
From: charles c. <cc...@ps...> - 2001-03-05 22:41:28
|
If you have progs on other machines that you want to start running, without knowing the details of what you are doing, one way is just to "rsh" them into existence and have them call back (via sockets) to the master node/dispatching machine, which can be running a daemon-communications server to handle subsequent communications. You can mess around with permissions to beef up security (like setuid to certain user when run). Charles David Huttleston Jr wrote: > > Hey Jythoneers, > I am looking for ideas to deploy a distributed > app in a secure fashion. We are using jython for the > client gui and logic, and java for the server and > communication framework. > > A few notes: > 1) We are free to install JDK1.3 and Jython on all > clients. > 2) We must make sure a script can not be run if it has > been modified. > 3) We must be able to conveniently deliver new versions > over the web, but we are flexible as to how. > > Obviously, a signed Jar is designed to solve these issues. > Is there a way to deploy jython programs without > compiling them and using a signed Jar? > > Thanks, > Dave > > _______________________________________________ > Jython-users mailing list > Jyt...@li... > http://lists.sourceforge.net/lists/listinfo/jython-users |
From: David H. Jr <dh...@hd...> - 2001-03-06 00:52:48
|
Thanks for your response, Charles. For the systems on our LAN your 'rsh' suggestion could work quite well. But most of our users are not under our direct control-- many users are working at home. We can, however, dictate the runtime enviroment. Currently we are distributing the alpha version of this app using a cdrom/web solution. We send a cdrom with the JRE and Jython install files, also included is a small jython script to download the latest jars from our server. For the java classes, this works quite well. But I am less satisfied with the jython situation. The only solution I have thought of so far is to have the client download a signed jar and unpack it to the file system. Then when a script is run the java framework checks the integrity of the script by comparing to known MD5 hashs stored on the server. Yuck. This would be a nightmare for imports and such. I am resisting delivering class files created by jythonc because it's another layer of complexity (and another source of bugs). Ideally a signed jar could be used as a virtual file system by jython. That would be sweet! Thanks again, Dave On Mon, 05 Mar 2001 15:44:02 -0700, you wrote: > If you have progs on other machines that you want to > start running, without knowing the details of what > you are doing, one way is just to "rsh" them into > existence and have them call back (via sockets) > to the master node/dispatching machine, which can > be running a daemon-communications server to handle > subsequent communications. You can mess around with > permissions to beef up security (like setuid to > certain user when run). > > Charles > > > David Huttleston Jr wrote: > > > > Hey Jythoneers, > > I am looking for ideas to deploy a distributed > > app in a secure fashion. We are using jython for the > > client gui and logic, and java for the server and > > communication framework. > > > > A few notes: > > 1) We are free to install JDK1.3 and Jython on all > > clients. > > 2) We must make sure a script can not be run if it has > > been modified. > > 3) We must be able to conveniently deliver new versions > > over the web, but we are flexible as to how. > > > > Obviously, a signed Jar is designed to solve these issues. > > Is there a way to deploy jython programs without > > compiling them and using a signed Jar? > > > > Thanks, > > Dave > > > > _______________________________________________ > > Jython-users mailing list > > Jyt...@li... > > http://lists.sourceforge.net/lists/listinfo/jython-users > > _______________________________________________ > Jython-users mailing list > Jyt...@li... > http://lists.sourceforge.net/lists/listinfo/jython-users > > |
From: Darrell G. <da...@do...> - 2001-03-06 01:52:20
|
What your looking for isn't far from what Gordon provides here--> http://www.mcmillan-inc.com/builder.html Check out ihooks.py in the standard python dist. Also see archive_rt.py in the above installer. --Darrell ----- Original Message ----- From: "David Huttleston Jr" > > I am resisting delivering class files created by jythonc > because it's another layer of complexity (and another source > of bugs). Ideally a signed jar could be used as a virtual > file system by jython. That would be sweet! > |
From: David H. Jr <dh...@hd...> - 2001-03-06 00:53:15
|
Thanks for your response, Charles. For the systems on our LAN your 'rsh' suggestion could work quite well. But most of our users are not under our direct control-- many users are working at home. We can, however, dictate the runtime enviroment. Currently we are distributing the alpha version of this app using a cdrom/web solution. We send a cdrom with the JRE and Jython install files, also included is a small jython script to download the latest jars from our server. For the java classes, this works quite well. But I am less satisfied with the jython situation. The only solution I have thought of so far is to have the client download a signed jar and unpack it to the file system. Then when a script is run the java framework checks the integrity of the script by comparing to known MD5 hashs stored on the server. Yuck. This would be a nightmare for imports and such. I am resisting delivering class files created by jythonc because it's another layer of complexity (and another source of bugs). Ideally a signed jar could be used as a virtual file system by jython. That would be sweet! Thanks again, Dave On Mon, 05 Mar 2001 15:44:02 -0700, you wrote: > If you have progs on other machines that you want to > start running, without knowing the details of what > you are doing, one way is just to "rsh" them into > existence and have them call back (via sockets) > to the master node/dispatching machine, which can > be running a daemon-communications server to handle > subsequent communications. You can mess around with > permissions to beef up security (like setuid to > certain user when run). > > Charles > > > David Huttleston Jr wrote: > > > > Hey Jythoneers, > > I am looking for ideas to deploy a distributed > > app in a secure fashion. We are using jython for the > > client gui and logic, and java for the server and > > communication framework. > > > > A few notes: > > 1) We are free to install JDK1.3 and Jython on all > > clients. > > 2) We must make sure a script can not be run if it has > > been modified. > > 3) We must be able to conveniently deliver new versions > > over the web, but we are flexible as to how. > > > > Obviously, a signed Jar is designed to solve these issues. > > Is there a way to deploy jython programs without > > compiling them and using a signed Jar? > > > > Thanks, > > Dave > > > > _______________________________________________ > > Jython-users mailing list > > Jyt...@li... > > http://lists.sourceforge.net/lists/listinfo/jython-users > > _______________________________________________ > Jython-users mailing list > Jyt...@li... > http://lists.sourceforge.net/lists/listinfo/jython-users > > |
From: David H. Jr <dh...@hd...> - 2001-03-06 00:55:32
|
Thanks for your response, Charles. For the systems on our LAN your 'rsh' suggestion could work quite well. But most of our users are not under our direct control-- many users are working at home. We can, however, dictate the runtime enviroment. Currently we are distributing the alpha version of this app using a cdrom/web solution. We send a cdrom with the JRE and Jython install files, also included is a small jython script to download the latest jars from our server. For the java classes, this works quite well. But I am less satisfied with the jython situation. The only solution I have thought of so far is to have the client download a signed jar and unpack it to the file system. Then when a script is run the java framework checks the integrity of the script by comparing to known MD5 hashs stored on the server. Yuck. This would be a nightmare for imports and such. I am resisting delivering class files created by jythonc because it's another layer of complexity (and another source of bugs). Ideally a signed jar could be used as a virtual file system by jython. That would be sweet! Thanks again, Dave On Mon, 05 Mar 2001 15:44:02 -0700, you wrote: > If you have progs on other machines that you want to > start running, without knowing the details of what > you are doing, one way is just to "rsh" them into > existence and have them call back (via sockets) > to the master node/dispatching machine, which can > be running a daemon-communications server to handle > subsequent communications. You can mess around with > permissions to beef up security (like setuid to > certain user when run). > > Charles > > > David Huttleston Jr wrote: > > > > Hey Jythoneers, > > I am looking for ideas to deploy a distributed > > app in a secure fashion. We are using jython for the > > client gui and logic, and java for the server and > > communication framework. > > > > A few notes: > > 1) We are free to install JDK1.3 and Jython on all > > clients. > > 2) We must make sure a script can not be run if it has > > been modified. > > 3) We must be able to conveniently deliver new versions > > over the web, but we are flexible as to how. > > > > Obviously, a signed Jar is designed to solve these issues. > > Is there a way to deploy jython programs without > > compiling them and using a signed Jar? > > > > Thanks, > > Dave > > > > _______________________________________________ > > Jython-users mailing list > > Jyt...@li... > > http://lists.sourceforge.net/lists/listinfo/jython-users > > _______________________________________________ > Jython-users mailing list > Jyt...@li... > http://lists.sourceforge.net/lists/listinfo/jython-users > > |