JavaInCloud
diff --git a/‎cometd-java/bayeux-api/src/main/java/org/cometd/bayeux/ChannelId.java‎
Lines changed: 2 additions & 2 deletions b/‎cometd-java/bayeux-api/src/main/java/org/cometd/bayeux/ChannelId.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cometd-java/bayeux-api/src/main/java/org/cometd/bayeux/server/SecurityPolicy.java‎
Lines changed: 59 additions & 28 deletions b/‎cometd-java/bayeux-api/src/main/java/org/cometd/bayeux/server/SecurityPolicy.java‎
Lines changed: 59 additions & 28 deletions
diff --git a/‎cometd-java/cometd-java-annotations/src/main/java/org/cometd/annotation/ClientAnnotationProcessor.java‎
Lines changed: 22 additions & 14 deletions b/‎cometd-java/cometd-java-annotations/src/main/java/org/cometd/annotation/ClientAnnotationProcessor.java‎
Lines changed: 22 additions & 14 deletions
diff --git a/‎cometd-java/cometd-java-annotations/src/main/java/org/cometd/annotation/ServerAnnotationProcessor.java‎
Lines changed: 22 additions & 14 deletions b/‎cometd-java/cometd-java-annotations/src/main/java/org/cometd/annotation/ServerAnnotationProcessor.java‎
Lines changed: 22 additions & 14 deletions
@@ -343,7 +343,7 @@ public static boolean isMeta(String channelId)
 
     /**
      * <p>Helper method to test if the string form of a {@code ChannelId}
-     * represents a {@link #isService()} service} {@code ChannelId}.</p>
+     * represents a {@link #isService() service} {@code ChannelId}.</p>
      *
      * @param channelId the channel id to test
      * @return whether the given channel id is a service channel id
@@ -355,7 +355,7 @@ public static boolean isService(String channelId)
 
     /**
      * <p>Helper method to test if the string form of a {@code ChannelId}
-     * represents a {@link #isBroadcast()} broadcast} {@code ChannelId}.</p>
+     * represents a {@link #isBroadcast() broadcast} {@code ChannelId}.</p>
      *
      * @param channelId the channel id to test
      * @return whether the given channel id is a broadcast channel id
 
@@ -16,33 +16,35 @@
 
 package org.cometd.bayeux.server;
 
+import org.cometd.bayeux.Session;
+import org.cometd.bayeux.client.ClientSessionChannel;
+
 /**
- * <p>A Bayeux {@link SecurityPolicy} defines the broad authorization constraints that must be enforced by
- * a {@link BayeuxServer}.
- * </p>
- * The usage of SecurityPolicy has been mostly replaced by the more flexible {@link Authorizer}.
- * ,p>
- * <p>A {@link BayeuxServer} may deny the handshake from clients that do not have proper
- * authentication credentials, or may deny clients to publish on reserved channels and so on;
- * all these activities are controlled by the {@link SecurityPolicy} implementation installed
- * on the {@link BayeuxServer}.
+ * A {@link SecurityPolicy} defines the broad authorization constraints that must be
+ * enforced by a {@link BayeuxServer}.
+ * <p />
+ * The usage of {@link SecurityPolicy} has been mostly replaced by the usage of the
+ * more flexible {@link Authorizer} for creation of channels, subscription to channels
+ * and publish to channels.
+ * {@link SecurityPolicy} is still the central authorization component for handshakes.
+ * <p />
+ * A {@link BayeuxServer} may deny the handshake from clients that do not have
+ * proper authentication credentials, or may deny clients to publish on reserved
+ * channels and so on; all these activities are controlled by the {@link SecurityPolicy}
+ * implementation installed on the {@link BayeuxServer} via
+ * {@link BayeuxServer#setSecurityPolicy(SecurityPolicy)}.
+ *
  * @see ServerChannel#addAuthorizer(Authorizer)
  */
 public interface SecurityPolicy
 {
-    /**
-     * Checks if a message should be allowed to create a new channel.
-     *
-     * @param server the {@link BayeuxServer} object
-     * @param session the client sending the message (may be null if an anonymous publish is attempted)
-     * @param channelId the channel to be created
-     * @param message the message trying to create the channel
-     * @return true if the channel should be created
-     */
-    boolean canCreate(BayeuxServer server, ServerSession session, String channelId, ServerMessage message);
-
     /**
      * Checks if a handshake message should be accepted.
+     * <p />
+     * Both remote sessions and local sessions are subject to this check.
+     * Applications usually want local sessions (that is, server-side only sessions related to services)
+     * to always pass this check, so a typical implementation filters local session using
+     * {@link ServerSession#isLocalSession()}.
      *
      * @param server the {@link BayeuxServer} object
      * @param session the session (not yet added to the BayeuxServer)
@@ -53,24 +55,53 @@ public interface SecurityPolicy
     boolean canHandshake(BayeuxServer server, ServerSession session, ServerMessage message);
 
     /**
-     * Checks if a client can publish a message to a channel.
+     * Checks if a message should be allowed to create a new channel.
+     * <p />
+     * A subscribe message or publish message to a channel not yet known to the server triggers this check.
+     * Both remote sessions and local sessions, when performing subscribes or publishes via
+     * {@link ClientSessionChannel#subscribe(ClientSessionChannel.MessageListener)} or
+     * {@link ClientSessionChannel#publish(Object)} are therefore subject to this check.
+     * <p />
+     * Direct calls to {@link BayeuxServer#createIfAbsent(String, ConfigurableServerChannel.Initializer...)}
+     * are not subject to this check.
      *
      * @param server the {@link BayeuxServer} object
-     * @param session the client sending the message (may be null if an anonymous publish is attempted).
-     * @param channel the channel to publish to
-     * @param message the message to being published
-     * @return true if the client can publish to the channel
+     * @param session the client sending the message
+     * @param channelId the channel to be created
+     * @param message the message trying to create the channel
+     * @return true if the channel should be created
      */
-    boolean canPublish(BayeuxServer server, ServerSession session, ServerChannel channel, ServerMessage message);
+    boolean canCreate(BayeuxServer server, ServerSession session, String channelId, ServerMessage message);
 
     /**
-     * Checks if a client is allowed to subscribe to a channel.
+     * Checks if a subscribe message from a client is allowed to subscribe to a channel.
+     * <p />
+     * Both remote and local sessions are subject to this check when performing subscribes via
+     * {@link ClientSessionChannel#subscribe(ClientSessionChannel.MessageListener)}.
+     * <p />
+     * {@link ServerChannel#subscribe(ServerSession)} is not subject to this check.
      *
      * @param server the {@link BayeuxServer} object
-     * @param session the client sending the message (may be null if an anonymous subscribe is attempted).
+     * @param session the client sending the message
      * @param channel the channel to subscribe to
      * @param message the subscribe message
      * @return true if the client can subscribe to the channel
      */
     boolean canSubscribe(BayeuxServer server, ServerSession session, ServerChannel channel, ServerMessage message);
+
+    /**
+     * Checks if a client can publish a message to a channel.
+     * <p />
+     * Both remote and local sessions are subject to this check when performing publishes via
+     * {@link ClientSessionChannel#publish(Object)}.
+     * <p />
+     * {@link ServerChannel#publish(Session, Object, String)} is not subject to this check.
+     *
+     * @param server the {@link BayeuxServer} object
+     * @param session the client sending the message
+     * @param channel the channel to publish to
+     * @param message the message to being published
+     * @return true if the client can publish to the channel
+     */
+    boolean canPublish(BayeuxServer server, ServerSession session, ServerChannel channel, ServerMessage message);
 }
@@ -19,6 +19,7 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
 import java.util.Arrays;
 import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
@@ -109,6 +110,9 @@ private boolean processCallbacks(Object bean)
         if (serviceAnnotation == null)
             return false;
 
+        if (!Modifier.isPublic(klass.getModifiers()))
+            throw new IllegalArgumentException("Service class '" + klass.getName() + "' must be public");
+
         boolean result = processListener(bean);
         result |= processSubscription(bean);
         return result;
@@ -218,6 +222,9 @@ private boolean processListener(Object bean)
                 Listener listener = method.getAnnotation(Listener.class);
                 if (listener != null)
                 {
+                    if (!Modifier.isPublic(method.getModifiers()))
+                        throw new IllegalArgumentException("Service method '" + method.getName() + "' in class '" + method.getDeclaringClass().getName() + "' must be public");
+
                     String[] channels = listener.value();
                     for (String channel : channels)
                     {
@@ -272,6 +279,9 @@ private boolean processSubscription(Object bean)
                 Subscription subscription = method.getAnnotation(Subscription.class);
                 if (subscription != null)
                 {
+                    if (!Modifier.isPublic(method.getModifiers()))
+                        throw new IllegalArgumentException("Service method '" + method.getName() + "' in class '" + method.getDeclaringClass().getName() + "' must be public");
+
                     String[] channels = subscription.value();
                     for (String channel : channels)
                     {
@@ -336,24 +346,23 @@ private ListenerCallback(Object target, Method method, String channel)
 
         public void onMessage(ClientSessionChannel channel, Message message)
         {
-            boolean accessible = method.isAccessible();
             try
             {
-                method.setAccessible(true);
                 method.invoke(target, message);
             }
             catch (InvocationTargetException x)
             {
-                throw new RuntimeException(x.getCause());
+                Throwable cause = x.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                if (cause instanceof Error)
+                    throw (Error)cause;
+                throw new RuntimeException(cause);
             }
             catch (IllegalAccessException x)
             {
                 throw new RuntimeException(x);
             }
-            finally
-            {
-                method.setAccessible(accessible);
-            }
         }
     }
 
@@ -399,24 +408,23 @@ private void subscribe()
 
         private void forward(Message message)
         {
-            boolean accessible = method.isAccessible();
             try
             {
-                method.setAccessible(true);
                 method.invoke(target, message);
             }
             catch (InvocationTargetException x)
             {
-                throw new RuntimeException(x.getCause());
+                Throwable cause = x.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                if (cause instanceof Error)
+                    throw (Error)cause;
+                throw new RuntimeException(cause);
             }
             catch (IllegalAccessException x)
             {
                 throw new RuntimeException(x);
             }
-            finally
-            {
-                method.setAccessible(accessible);
-            }
         }
     }
 }
@@ -19,6 +19,7 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -242,6 +243,9 @@ public boolean processCallbacks(Object bean)
         if (serviceAnnotation == null)
             return false;
 
+        if (!Modifier.isPublic(klass.getModifiers()))
+            throw new IllegalArgumentException("Service class '" + klass.getName() + "' must be public");
+
         LocalSession session = findOrCreateLocalSession(bean, serviceAnnotation.value());
         boolean result = processListener(bean, session);
         result |= processSubscription(bean, session);
@@ -378,6 +382,9 @@ private boolean processListener(Object bean, LocalSession localSession)
                 Listener listener = method.getAnnotation(Listener.class);
                 if (listener != null)
                 {
+                    if (!Modifier.isPublic(method.getModifiers()))
+                        throw new IllegalArgumentException("Service method '" + method.getName() + "' in class '" + method.getDeclaringClass().getName() + "' must be public");
+
                     String[] channels = listener.value();
                     for (String channel : channels)
                     {
@@ -433,6 +440,9 @@ private boolean processSubscription(Object bean, LocalSession localSession)
                 Subscription subscription = method.getAnnotation(Subscription.class);
                 if (subscription != null)
                 {
+                    if (!Modifier.isPublic(method.getModifiers()))
+                        throw new IllegalArgumentException("Service method '" + method.getName() + "' in class '" + method.getDeclaringClass().getName() + "' must be public");
+
                     String[] channels = subscription.value();
                     for (String channel : channels)
                     {
@@ -498,25 +508,24 @@ public boolean onMessage(ServerSession from, ServerChannel channel, ServerMessag
             if (from == localSession.getServerSession() && !receiveOwnPublishes)
                 return true;
 
-            boolean accessible = method.isAccessible();
             try
             {
-                method.setAccessible(true);
                 Object result = method.invoke(target, from, message);
                 return !Boolean.FALSE.equals(result);
             }
             catch (InvocationTargetException x)
             {
-                throw new RuntimeException(x.getCause());
+                Throwable cause = x.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                if (cause instanceof Error)
+                    throw (Error)cause;
+                throw new RuntimeException(cause);
             }
             catch (IllegalAccessException x)
             {
                 throw new RuntimeException(x);
             }
-            finally
-            {
-                method.setAccessible(accessible);
-            }
         }
     }
 
@@ -541,24 +550,23 @@ public SubscriptionCallback(LocalSession localSession, Object target, Method met
 
         public void onMessage(ClientSessionChannel channel, Message message)
         {
-            boolean accessible = method.isAccessible();
             try
             {
-                method.setAccessible(true);
                 method.invoke(target, message);
             }
             catch (InvocationTargetException x)
             {
-                throw new RuntimeException(x.getCause());
+                Throwable cause = x.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                if (cause instanceof Error)
+                    throw (Error)cause;
+                throw new RuntimeException(cause);
             }
             catch (IllegalAccessException x)
             {
                 throw new RuntimeException(x);
             }
-            finally
-            {
-                method.setAccessible(accessible);
-            }
         }
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`import java.lang.reflect.Field;`
`20`	`20`	`import java.lang.reflect.InvocationTargetException;`
`21`	`21`	`import java.lang.reflect.Method;`
	`22`	`+import java.lang.reflect.Modifier;`
`22`	`23`	`import java.util.Arrays;`
`23`	`24`	`import java.util.List;`
`24`	`25`	`import java.util.concurrent.ConcurrentHashMap;`
`@@ -109,6 +110,9 @@ private boolean processCallbacks(Object bean)`
`109`	`110`	`if (serviceAnnotation == null)`
`110`	`111`	`return false;`
`111`	`112`
	`113`	`+ if (!Modifier.isPublic(klass.getModifiers()))`
	`114`	`+ throw new IllegalArgumentException("Service class '" + klass.getName() + "' must be public");`
	`115`	`+`
`112`	`116`	`boolean result = processListener(bean);`
`113`	`117`	`result \|= processSubscription(bean);`
`114`	`118`	`return result;`
`@@ -218,6 +222,9 @@ private boolean processListener(Object bean)`
`218`	`222`	`Listener listener = method.getAnnotation(Listener.class);`
`219`	`223`	`if (listener != null)`
`220`	`224`	`{`
	`225`	`+ if (!Modifier.isPublic(method.getModifiers()))`
	`226`	`+ throw new IllegalArgumentException("Service method '" + method.getName() + "' in class '" + method.getDeclaringClass().getName() + "' must be public");`
	`227`	`+`
`221`	`228`	`String[] channels = listener.value();`
`222`	`229`	`for (String channel : channels)`
`223`	`230`	`{`
`@@ -272,6 +279,9 @@ private boolean processSubscription(Object bean)`
`272`	`279`	`Subscription subscription = method.getAnnotation(Subscription.class);`
`273`	`280`	`if (subscription != null)`
`274`	`281`	`{`
	`282`	`+ if (!Modifier.isPublic(method.getModifiers()))`
	`283`	`+ throw new IllegalArgumentException("Service method '" + method.getName() + "' in class '" + method.getDeclaringClass().getName() + "' must be public");`
	`284`	`+`
`275`	`285`	`String[] channels = subscription.value();`
`276`	`286`	`for (String channel : channels)`
`277`	`287`	`{`
`@@ -336,24 +346,23 @@ private ListenerCallback(Object target, Method method, String channel)`
`336`	`346`
`337`	`347`	`public void onMessage(ClientSessionChannel channel, Message message)`
`338`	`348`	`{`
`339`		`- boolean accessible = method.isAccessible();`
`340`	`349`	`try`
`341`	`350`	`{`
`342`		`- method.setAccessible(true);`
`343`	`351`	`method.invoke(target, message);`
`344`	`352`	`}`
`345`	`353`	`catch (InvocationTargetException x)`
`346`	`354`	`{`
`347`		`- throw new RuntimeException(x.getCause());`
	`355`	`+ Throwable cause = x.getCause();`
	`356`	`+ if (cause instanceof RuntimeException)`
	`357`	`+ throw (RuntimeException)cause;`
	`358`	`+ if (cause instanceof Error)`
	`359`	`+ throw (Error)cause;`
	`360`	`+ throw new RuntimeException(cause);`
`348`	`361`	`}`
`349`	`362`	`catch (IllegalAccessException x)`
`350`	`363`	`{`
`351`	`364`	`throw new RuntimeException(x);`
`352`	`365`	`}`
`353`		`- finally`
`354`		`- {`
`355`		`- method.setAccessible(accessible);`
`356`		`- }`
`357`	`366`	`}`
`358`	`367`	`}`
`359`	`368`
`@@ -399,24 +408,23 @@ private void subscribe()`
`399`	`408`
`400`	`409`	`private void forward(Message message)`
`401`	`410`	`{`
`402`		`- boolean accessible = method.isAccessible();`
`403`	`411`	`try`
`404`	`412`	`{`
`405`		`- method.setAccessible(true);`
`406`	`413`	`method.invoke(target, message);`
`407`	`414`	`}`
`408`	`415`	`catch (InvocationTargetException x)`
`409`	`416`	`{`
`410`		`- throw new RuntimeException(x.getCause());`
	`417`	`+ Throwable cause = x.getCause();`
	`418`	`+ if (cause instanceof RuntimeException)`
	`419`	`+ throw (RuntimeException)cause;`
	`420`	`+ if (cause instanceof Error)`
	`421`	`+ throw (Error)cause;`
	`422`	`+ throw new RuntimeException(cause);`
`411`	`423`	`}`
`412`	`424`	`catch (IllegalAccessException x)`
`413`	`425`	`{`
`414`	`426`	`throw new RuntimeException(x);`
`415`	`427`	`}`
`416`		`- finally`
`417`		`- {`
`418`		`- method.setAccessible(accessible);`
`419`		`- }`
`420`	`428`	`}`
`421`	`429`	`}`
`422`	`430`	`}`