felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Pauls (JIRA)" <j...@apache.org>
Subject [jira] Created: (FELIX-654) Subject.doAs not supported
Date Fri, 01 Aug 2008 12:00:32 GMT
Subject.doAs not supported
--------------------------

                 Key: FELIX-654
                 URL: https://issues.apache.org/jira/browse/FELIX-654
             Project: Felix
          Issue Type: Bug
          Components: Framework
    Affects Versions: felix-1.0.4
            Reporter: Karl Pauls
            Assignee: Karl Pauls
             Fix For: felix-1.0.5


Subject.doAs allows to perform work as a particular Subject. It first retrieves the current
Thread's AccessControlContext via AccessController.getContext, and then instantiates a new
AccessControlContext using the retrieved context along with a new SubjectDomainCombiner (constructed
using the provided Subject). Finally, this method invokes AccessController.doPrivileged, passing
it the provided PrivilegedAction, as well as the newly constructed AccessControlContext. 

The issue is that the SubjectDomainCombiner does update the relevant ProtectionDomains with
the Principals from the Subject associated with this SubjectDomainCombiner by creating a new
ProtectionDomain instance for each ProtectionDomain in the currentDomains array. Each new
ProtectionDomain instance is created using the CodeSource, Permissions and ClassLoader from
the corresponding ProtectionDomain in currentDomains, as well as with the Principals from
the Subject associated with this SubjectDomainCombiner. 

This doesn't work well with the OSGi spec due to the fact that each bundle (or revision to
be precise) has its own custom ProtectionDomain which is lost when Subject.doAs is used. There
is a way to make it work for most scenarios namely, make the custom ProtectionDomain return
a speciall PermissionCollection because that is reused by the ProtectionDomain created by
the SubjectDomainCombiner if no custom policy is installed (in the later case a different
workaround would be needed). 

Currently, Felix doesn't work when Subject.doAs is used and security is enabled. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message