ace-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Pauls <karlpa...@gmail.com>
Subject Re: ACE parts and security
Date Thu, 16 Jun 2016 13:58:24 GMT
> - In the target environments, I was trying to limit the usage of bundles
> signed by me. I have tried to have a prototype only with Felix but despite
> I have followed these instructions, no success:
>
>
> http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html


I'm not sure you followed the instructions there correctly. The
"all.policy" is the java security policy file and needs to be unchanged
(ie., it needs to give all permission to *) - see below.


>
> I have put this content in the policy file:
>
> allow {
> [org.osgi.service.condpermadmin.BundleSignerCondition "*" ]
> (java.security.AllPermission)
> } "all_signed"
>
> java.security.policy: error parsing
> file:/C:/dev/felix-framework-5.4.0/all.policy:
>         line 1: expected [;], found [allow]
> ERROR: Error creating bundle cache. (java.security.AccessControlException:
> acces
> s denied ("java.io.FilePermission" ".\felix-cache" "read"))
>
> Syntax seem to be fine to me, I have check the OSGi 5 spec (50.2.5)
> policy ::= access ’{’ conditions permissions’}’ name?
> access ::= ’ALLOW’ | ’DENY’ // case insensitive
> conditions ::= ( ’[’ qname quoted-string* ’]’ )*
> permissions ::= ( ’(’ qname (quoted-string
> quoted-string?)? ’)’ )+
> name ::= quoted-string
>
> Have you ever seen similar exception?
>

This is the syntax for the OSGi ConditionalPermissionTuple serialization
format. You can't put that into a java security policy file. If you want to
do something similar you'd have to provider your own implementation that
reads such a policy file and uses the ConditionalPermissionAdmin to set-up
the security policies correctly. You can find (a somewhat useable but very
simple) example-implementation here:

https://github.com/mcculls/osgi-in-action/blob/master/chapter14/combined-example/org.foo.policy/src/org/foo/policy/Activator.java

It might make sense to look at the complete example too:

https://github.com/mcculls/osgi-in-action/tree/master/chapter14/combined-example


regards,

Karl




> Many thanks in advance for this great work in ACE project!!
>
>
> --
> ____________________________________
> Jorge Martin Cuervo
>
> email <jorge@martincuervo.com>
> ___________________________________
>



-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message