felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Pauls (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-5148) Framework Security unusable
Date Tue, 19 Jan 2016 10:49:39 GMT

    [ https://issues.apache.org/jira/browse/FELIX-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15106578#comment-15106578
] 

Karl Pauls commented on FELIX-5148:
-----------------------------------

Ok, I'll try to get to it. For now, karaf doesn't seem to start for me on my mac. Just to
make sure, you are not trying to use the standard java security policy to give permissions,
right? 

> Framework Security unusable
> ---------------------------
>
>                 Key: FELIX-5148
>                 URL: https://issues.apache.org/jira/browse/FELIX-5148
>             Project: Felix
>          Issue Type: Bug
>          Components: Configuration Admin, Framework Security
>    Affects Versions: framework.security-2.4.0, configadmin-1.8.0
>            Reporter: Oliver Lietz
>            Assignee: Karl Pauls
>         Attachments: FELIX-5148.site.patch, FELIX-5148.sling-launchpad-builder.patch
>
>
> While fixing an issue with Sling and RMI (SLING-5375) reported by an user I came across
an issue (KARAF-3400) reported by [~achim_nierbeck] for Karaf related to framework security.
> There is also an issue with [Sling's own OSGi launcher Launchpad|https://svn.apache.org/viewvc/sling/trunk/launchpad/builder/]
and framework security when using {{org.apache.felix.configadmin}} >= {{1.8.0}}.
> {{all.policy}}:
> {noformat}
> grant {
>    permission java.security.AllPermission;
> };
> {noformat}
> Adding {{org.apache.felix/org.apache.felix.framework.security/2.4.0}} to {{boot.txt}}
and starting with arguments described on [Framework Security's page|http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html]
(which looks broken) and [{{-Djava.security.manager}}|http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc6.html]
([Building Secure OSGi Applications|http://de.slideshare.net/marrs/building-secure-osgi-applications])
throws a {{java.security.AccessControlException}}:
> {noformat}
> java -Djava.security.manager -Djava.security.policy="all.policy" -Dorg.osgi.framework.security="osgi"
-jar org.apache.sling.launchpad-9-SNAPSHOT.jar
> {noformat}
> {noformat}
> [...]
> [...] *ERROR* [FelixStartLevel] ERROR: Error starting slinginstall:org.apache.felix.configadmin-1.8.0.jar
(java.security.AccessControlException: access denied ("java.io.FilePermission" "/[...]/sling/config"
"read"))
> java.security.AccessControlException: access denied ("java.io.FilePermission" "/[...]/sling/config"
"read")
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> 	at java.security.AccessController.checkPermission(AccessController.java:884)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> 	at java.io.File.isDirectory(File.java:844)
> 	at org.apache.felix.cm.file.FilePersistenceManager.<init>(FilePersistenceManager.java:342)
> 	at org.apache.felix.cm.impl.ConfigurationManager.start(ConfigurationManager.java:244)
> 	at org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1709)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:688)
> 	at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
> 	at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
> 	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
> 	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
> 	at java.lang.Thread.run(Thread.java:745)
> [...]
> {noformat}
> I had to remove OSGi Subsystems support from {{boot.txt}} when using {{org.apache.felix.configadmin}}
{{1.6}}:
> {noformat}
>     org.apache.felix/org.apache.felix.coordinator/1.0.0
>     org.eclipse.equinox/org.eclipse.equinox.region/1.2.101.v20150831-1342
>     org.apache.aries.subsystem/org.apache.aries.subsystem.api/2.0.6
>     org.apache.aries.subsystem/org.apache.aries.subsystem.core/2.0.6
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message