Return-Path: Delivered-To: apmail-felix-dev-archive@www.apache.org Received: (qmail 34602 invoked from network); 20 Aug 2008 16:45:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 20 Aug 2008 16:45:39 -0000 Received: (qmail 3207 invoked by uid 500); 20 Aug 2008 16:45:36 -0000 Delivered-To: apmail-felix-dev-archive@felix.apache.org Received: (qmail 3170 invoked by uid 500); 20 Aug 2008 16:45:36 -0000 Mailing-List: contact dev-help@felix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@felix.apache.org Delivered-To: mailing list dev@felix.apache.org Received: (qmail 3159 invoked by uid 99); 20 Aug 2008 16:45:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Aug 2008 09:45:36 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Aug 2008 16:44:47 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 2AB49234C1BE for ; Wed, 20 Aug 2008 09:44:47 -0700 (PDT) Message-ID: <428147459.1219250687174.JavaMail.jira@brutus> Date: Wed, 20 Aug 2008 09:44:47 -0700 (PDT) From: "Karl Pauls (JIRA)" To: dev@felix.apache.org Subject: [jira] Resolved: (FELIX-654) Subject.doAs not supported In-Reply-To: <1093829016.1217592032333.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/FELIX-654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Karl Pauls resolved FELIX-654. ------------------------------ Resolution: Fixed I think the current fix is reasonable and seems to work -- hence, I will close this issue soon. > Subject.doAs not supported > -------------------------- > > Key: FELIX-654 > URL: https://issues.apache.org/jira/browse/FELIX-654 > Project: Felix > Issue Type: Bug > Components: Framework > Affects Versions: felix-1.0.4 > Reporter: Karl Pauls > Assignee: Karl Pauls > Fix For: felix-1.2.0 > > > Subject.doAs allows to perform work as a particular Subject. It first retrieves the current Thread's AccessControlContext via AccessController.getContext, and then instantiates a new AccessControlContext using the retrieved context along with a new SubjectDomainCombiner (constructed using the provided Subject). Finally, this method invokes AccessController.doPrivileged, passing it the provided PrivilegedAction, as well as the newly constructed AccessControlContext. > The issue is that the SubjectDomainCombiner does update the relevant ProtectionDomains with the Principals from the Subject associated with this SubjectDomainCombiner by creating a new ProtectionDomain instance for each ProtectionDomain in the currentDomains array. Each new ProtectionDomain instance is created using the CodeSource, Permissions and ClassLoader from the corresponding ProtectionDomain in currentDomains, as well as with the Principals from the Subject associated with this SubjectDomainCombiner. > This doesn't work well with the OSGi spec due to the fact that each bundle (or revision to be precise) has its own custom ProtectionDomain which is lost when Subject.doAs is used. There is a way to make it work for most scenarios namely, make the custom ProtectionDomain return a speciall PermissionCollection because that is reused by the ProtectionDomain created by the SubjectDomainCombiner if no custom policy is installed (in the later case a different workaround would be needed). > Currently, Felix doesn't work when Subject.doAs is used and security is enabled. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.