felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Pauls (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (FELIX-654) Subject.doAs not supported
Date Wed, 20 Aug 2008 16:44:47 GMT

     [ https://issues.apache.org/jira/browse/FELIX-654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Karl Pauls resolved FELIX-654.
------------------------------

    Resolution: Fixed

I think the current fix is reasonable and seems to work -- hence, I will close this issue
soon. 

> Subject.doAs not supported
> --------------------------
>
>                 Key: FELIX-654
>                 URL: https://issues.apache.org/jira/browse/FELIX-654
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework
>    Affects Versions: felix-1.0.4
>            Reporter: Karl Pauls
>            Assignee: Karl Pauls
>             Fix For: felix-1.2.0
>
>
> Subject.doAs allows to perform work as a particular Subject. It first retrieves the current
Thread's AccessControlContext via AccessController.getContext, and then instantiates a new
AccessControlContext using the retrieved context along with a new SubjectDomainCombiner (constructed
using the provided Subject). Finally, this method invokes AccessController.doPrivileged, passing
it the provided PrivilegedAction, as well as the newly constructed AccessControlContext. 
> The issue is that the SubjectDomainCombiner does update the relevant ProtectionDomains
with the Principals from the Subject associated with this SubjectDomainCombiner by creating
a new ProtectionDomain instance for each ProtectionDomain in the currentDomains array. Each
new ProtectionDomain instance is created using the CodeSource, Permissions and ClassLoader
from the corresponding ProtectionDomain in currentDomains, as well as with the Principals
from the Subject associated with this SubjectDomainCombiner. 
> This doesn't work well with the OSGi spec due to the fact that each bundle (or revision
to be precise) has its own custom ProtectionDomain which is lost when Subject.doAs is used.
There is a way to make it work for most scenarios namely, make the custom ProtectionDomain
return a speciall PermissionCollection because that is reused by the ProtectionDomain created
by the SubjectDomainCombiner if no custom policy is installed (in the later case a different
workaround would be needed). 
> Currently, Felix doesn't work when Subject.doAs is used and security is enabled. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message