felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon Joseph Aquilina (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FELIX-5162) Security Conditions not working on Java 1.8
Date Mon, 11 Jan 2016 14:37:39 GMT
Simon Joseph Aquilina created FELIX-5162:

             Summary: Security Conditions not working on Java 1.8
                 Key: FELIX-5162
                 URL: https://issues.apache.org/jira/browse/FELIX-5162
             Project: Felix
          Issue Type: Bug
          Components: Framework Security
    Affects Versions: framework.security-2.4.0
         Environment: Java 1.8
            Reporter: Simon Joseph Aquilina
            Priority: Minor

Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0".
I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle

I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil"
(I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the
Internet. However in p1-evil Activator I placed some code that makes a request to google and
prints the response. 

The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck
returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the
p1-evil bundle. 

This is meant to be used with the following security rule (can be found in security.policy)

  ( java.net.SocketPermission "*" "connect" ) 
} "MyCheck" 

(note: I also tried "connect,resolve", still does not work on java 1.8) 

When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil
does not connect and I get an exception [java.security.AccessControlException: access denied
("java.net.SocketPermission" "google.com:80" "connect,resolve")] 

When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator
is still allowed to connect to google. 

I have tried this on two different machines and I got the same results. Am I doing something
wrong? Or there is something I do not know? 

This message was sent by Atlassian JIRA

View raw message