I'm currently writing a java API for proxylet execution in a local java
runtime environment. I have prepared a draft, but would like to get some sort
of consensus with the community before diving in there and publishing it.
Here's an extract from my draft. I dont include the full API description
which is far too long for submission here when converted into an Internet
draft descriptions.
I welcome all comments and criticisms.
If you wish to review the whole draft ID I could email you it. Its a little
too long to post in full here.
Regards,
Andy Walker
Thundercrack Ltd.
Abstract
This document describes a Java language binding for proxylets and
the local java execution environment within which the proxylets will
run.
Proxylets are plug-in modules to an Open Pluggable Edge Server (OPES)
device that execute locally within a well defined secure execution
environment. Proxylets allow arbitrary modification of messages
under the authority of either the origin server or the end user. The
proxylet sandbox constrains the modifications to messages to be
within the bounds within which the proxylet has been granted authority.
1. Introduction
Open Pluggable Edge Servers (OPES) described in
draft-tomlinson-epsfw-00.txt allows end users
and origin servers to provision content adaption services at the OPES
device. These content adaption services are explicitly authorized to
perform their content modifications via a policy framework. The
authorising party defines a set of configuration rules using IRML.
When a request arrives at the OPES device that matches a rule
an appropriate service is brought into service that can carry out any
necessary content adaption, or arbitrary processing. The underlying
rule processing architecture is described in draft-yang-opes-rule-
processing-service-execution-00.txt. There are two types of
service available: -
1. Call out services. The request and response messages are
vectored out to a service using a suitable callout protocol. The
remote service carries out the processing and returns the
modified message.
2. Local services. The request and response messages are passed to
a local proxylet service. The proxylet service executes within
its local execution environment, and returns the modified
message.
This draft examines proxylets, their runtime life-cycle, a possible
java binding, and the local execution environment security.
Areas of proxylet management that are beyond the scope of this draft
and require further analysis are : -
Proxylet description with OMML.
Proxylet trigger conditions (IRML etc)
Proxylet distribution and deployment
Proxylet configuration
Proxylet logging
Proxylet validation, and/or compliance testing.
This draft focuses on a set of Java interfaces that expose the
available resources, the message data, and the local configuration,
to locally executing proxylet services. The interface allows
straightforward manipulation of message protocol headers and gives
direct IOStream access to each message payload.
2. Proxylet binding overview
Proxylets are small pieces of code that transform messages at an
intermediary, they are managed and executed by a Proxylet Engine.
The proxylet engine manages the proxylet's life-cycle from its
instantiation, through repeated execution of its
service, to its eventual destruction.
The proxylet engine is responsible for setting up the proxylet in a
suitable security sandbox protecting the underlying
server against malicious resource misuse, protecting the end user
from irresponsible and undesired content modification and protecting
the content provider from potential data hijacking.
The proxylet engine interacts with proxylets via interfaces from the
org.ietf.opes.proxylet package. The protocol-specific proxylet
extensions are found within the a sub package from
org.ietf.opes.proxylet. For example, HTTP proxylets use the package
org.ietf.opes.proxylet.http.
The base interface for a proxylet is org.ietf.opes.proxy.Proxylet.
The proxylets must implement the Proxylet interface,
or an interface that extends Proxylet. Proxylets alter requests
using their modRequest method, and responses via their
modResponse method. Protocol specific extensions to
the Proxylet interface may provide a different method for each of the
protocol message types. For example, HTTPProxylet
will have modGetRequest and a modGetResponse methods dealing with the
adaption of a HTTP GET requests and its subsequent response message.
The proxylet engine will parse the request message into a
ProxyletRequest object, and a response into a
ProxyletResponse object. The ProxyletRequest and
ProxyletResponse interfaces manage the collection of protocol headers
and provide hooks into IO streams representing the message's payload.
Again, protocol-specific extensions to the Request and Response
objects will expose protocol-specific attributes of the request and
response
3. Proxylet runtime life-cycle
The life-cycle of the proxylet is
o instantiation
o initialisation
o service
o destruction
o undeployment
<snip>
4. Overview of Package: org.ietf.opes.proxylet
ProxyletConfig
Collects together the initialisation properties of the underlying
server, the proxylet metadata, and the proxylet instantiation data
specified for the given proxylet URI.
ProxyletContext
The ProxyletContext interface describes the set of methods by
which a proxylet can communicate with its underlying proxylet
engine.
SingleThreadedProxylet
This interface tags the implementing class informing the server
that there should be a new instantiation of the Proxylet each time
the server needs to execute the proxylet code.
ProxyletSessionData
The ProxyletSessionData wraps any stateful object that is placed
on the ProxyletSession object.
ProxyletResponse
Defines the object that the proxylet engine will pass to the
proxylet giving information regarding the server's response.
Cookie
Cookie represents the access interface for HTTP-like cookies.
PropertyBasedObject
PropertyBasedObject gives access to an object's properties and
attributes, by indexing the data by a String naming the particular
property of interest.
Proxylet
Proxylets are small pieces of code that execute on an intermediary
at the request of an authorising party.
ProxyletRequest
Defines the interface through which a proxylet may interact with
the request message currently being processed by the server.
ProxyletSession
The client holds a session with the processing intermediary that
may retain stateful data pertaining to the client's relationship
with the proxy, and the client's relationship with any
appropriately authorised upstream origin servers.
ProxyletStatus
The ProxyletStatus object represents the possible return values
from a proxylet.
ProxyletException
ProxyletException is thrown whenever the proxylet encounters
unusual circumstances and is unable to execute correctly.
5. Overview of Package: org.ietf.opes.proxylet.http
HTTPCookie
HTTPCookie overrides the standard proxylet Cookie giving the
object the HTTP specific facilities that enable the proxylet
writer to quickly and simply inspect and modify HTTP cookies.
HTTPProxylet
HTTPProxylet is the HTTP protocol-specific interface enhancing the
standard proxylet interface.
HTTPProxyletResponse
HTTPProxyletResponse enhances the standard ProxyletResponse with
HTTP protocol-specific extensions.
HTTPProxyletRequest
The HTTPProxyletRequest interface defines the HTTP protocol
extensions to the org.ietf.opes.proxylet.ProxyletRequest interface.
6. Complete API details
<snip>
7. Security Considerations
<snip>
Andrew J. Walker
Thundercrack Ltd.
17 Rathbone Street
London, London W1T 1ND
GB
Phone: +44 020 7631 1000
EMail: andrew(_dot_)walker(_at_)thundercrack(_dot_)com
URI: http://www.thundercrack.com