felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paolo Antinori (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-5148) Framework Security unusable
Date Wed, 19 Oct 2016 13:13:58 GMT

    [ https://issues.apache.org/jira/browse/FELIX-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15588736#comment-15588736
] 

Paolo Antinori commented on FELIX-5148:
---------------------------------------

Hi, I'm trying to start Karaf according to its security instructions:

1) set couple of sysprop:` -Djava.security.policy="all.policy" -Dorg.osgi.framework.security="osgi"`
2) enable felix security fragment at boot at a very early stage: `org/apache/felix/org.apache.felix.framework.security/2.4.0/org.apache.felix.framework.security-2.4.0.jar=1`

Just start it see those exception popping out.

Instructions are the same since long time, and old 2.3 version of Karaf used to work.

I'm trying to understand where the problem lies, so looking into the instances at runtime
to guess what could be the issue here.
  

> Framework Security unusable
> ---------------------------
>
>                 Key: FELIX-5148
>                 URL: https://issues.apache.org/jira/browse/FELIX-5148
>             Project: Felix
>          Issue Type: Bug
>          Components: Configuration Admin, Framework Security
>    Affects Versions: framework.security-2.4.0, configadmin-1.8.0
>            Reporter: Oliver Lietz
>            Assignee: Karl Pauls
>         Attachments: FELIX-5148.site.patch, FELIX-5148.sling-launchpad-builder.patch
>
>
> While fixing an issue with Sling and RMI (SLING-5375) reported by an user I came across
an issue (KARAF-3400) reported by [~achim_nierbeck] for Karaf related to framework security.
> There is also an issue with [Sling's own OSGi launcher Launchpad|https://svn.apache.org/viewvc/sling/trunk/launchpad/builder/]
and framework security when using {{org.apache.felix.configadmin}} >= {{1.8.0}}.
> {{all.policy}}:
> {noformat}
> grant {
>    permission java.security.AllPermission;
> };
> {noformat}
> Adding {{org.apache.felix/org.apache.felix.framework.security/2.4.0}} to {{boot.txt}}
and starting with arguments described on [Framework Security's page|http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html]
(which looks broken) and [{{-Djava.security.manager}}|http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc6.html]
([Building Secure OSGi Applications|http://de.slideshare.net/marrs/building-secure-osgi-applications])
throws a {{java.security.AccessControlException}}:
> {noformat}
> java -Djava.security.manager -Djava.security.policy="all.policy" -Dorg.osgi.framework.security="osgi"
-jar org.apache.sling.launchpad-9-SNAPSHOT.jar
> {noformat}
> {noformat}
> [...]
> [...] *ERROR* [FelixStartLevel] ERROR: Error starting slinginstall:org.apache.felix.configadmin-1.8.0.jar
(java.security.AccessControlException: access denied ("java.io.FilePermission" "/[...]/sling/config"
"read"))
> java.security.AccessControlException: access denied ("java.io.FilePermission" "/[...]/sling/config"
"read")
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> 	at java.security.AccessController.checkPermission(AccessController.java:884)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> 	at java.io.File.isDirectory(File.java:844)
> 	at org.apache.felix.cm.file.FilePersistenceManager.<init>(FilePersistenceManager.java:342)
> 	at org.apache.felix.cm.impl.ConfigurationManager.start(ConfigurationManager.java:244)
> 	at org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1709)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:688)
> 	at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
> 	at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
> 	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
> 	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
> 	at java.lang.Thread.run(Thread.java:745)
> [...]
> {noformat}
> I had to remove OSGi Subsystems support from {{boot.txt}} when using {{org.apache.felix.configadmin}}
{{1.6}}:
> {noformat}
>     org.apache.felix/org.apache.felix.coordinator/1.0.0
>     org.eclipse.equinox/org.eclipse.equinox.region/1.2.101.v20150831-1342
>     org.apache.aries.subsystem/org.apache.aries.subsystem.api/2.0.6
>     org.apache.aries.subsystem/org.apache.aries.subsystem.core/2.0.6
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message