felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Pauls" <karlpa...@gmail.com>
Subject Re: Adding permissions in Felix
Date Mon, 03 Nov 2008 13:43:03 GMT
Sorry, I didn't get to it sooner. Right now what you want to do is not
possible using felix. The PermissionAdmin service needs to be provided
by the framework (so you can not use the trialog implementation
anymore). Problem is we don't have one available atm. There is an
alpha version in trunk under security but it needs to be ported to the
latest version of Felix. I hope to find the time to get this done soon
but I can not commit to any date yet. It should work with Felix 1.0.4.

As long as there is no PermissionAdmin service, all bundles have
allpermissions. For various reasons it is not possible to restrict the
bundles to the permissions in the policy file anymore (it would e.g.,
make it impossible to use Felix inside a webstart app).  However, if
all you need is this behavior I might be able to add a quick fix that
does that if a certain property is set (please create a JIRA if you
want that). That might even make the trialog implementation work again
as well (but no guaranties).

regards,

Karl

On Fri, Oct 31, 2008 at 12:48 PM, Krishanu <contactkghosh@gmail.com> wrote:
>
> CONTEXT: We are currently developing a thick client framework using OSGi.
> Although the basic implementation is done, we are now facing a lot of
> problems in providing security to the framework.
>
> I have a Bootstrap.java class that has Felix.jar in its classpath. It
> launches felix using Felix.start() with an initial set of startup bundles
> configured in it. These startup bundles include:
> 1  bundle repository(OBR)
> 2. permission admin(trialog implementation)
> 3. permission manager( i am consuming the permadmin service and set some
> permissions for the bundles )
> 4. application manager ( this exposes appManager service; which in turn
> consumes the repository admin service provided by the OBR bundle, and when
> given Bundle B1 as input, will deploy B1, B2 and B3 in the runtime because
> they are dependent bundles. ) There are some other things appManager service
> does, so we cant use repoadmin directly.
>
> FLOW: For navigation between the thick clent screens, we consume the
> appManager service, with the startup bundle required for the next screen.
> This in turn loads all the required bundles and show me the next screen.
>
> WHAT I WANT: I want to provide certain preset permissions to all the bundles
> in my framework, with a default set of permissions specified.
>
> PROBLEM: In the bootstrap class I instantiate a security manager and give it
> a policy file. The policy file has the following entries:
>
> grant codeBase
> "file:/E:/osgi/FelixLocalRepository/kernel/csp-gui-bootstrap/1.0.0/csp-gui-bootstrap-1.0.0.jar"
> {
>  permission java.security.AllPermission;
> };
>
> grant codeBase
> "file:/E:/osgi/FelixLocalRepository/kernel/felix/1.0.4/felix-1.0.4.jar" {
>  permission java.security.AllPermission;
> };
>
> This works fine. But when the framework starts I want the permission manager
> to take over. This is what we set:
>
> permAdmin.setPermissions(
> "file:/E:/osgi/FelixLocalRepository/kernel/felix/1.0.4/felix-1.0.4.jar",
> new PermissionInfo[]{new PermissionInfo(FilePermission.class.getName(), "*",
> "read,write,delete")});
>
> permAdmin.setPermissions("file:/E:/osgi/FelixLocalRepository/kernel/csp-gui-bootstrap/1.0.0/csp-gui-bootstrap-1.0.0.jar",
> new PermissionInfo[]{new PermissionInfo(FilePermission.class.getName(), "*",
> "read,write,delete")});
>
> permAdmin.setDefaultPermissions(
> new PermissionInfo[] { new PermissionInfo(FilePermission.class.getName(),
> "*", "read,write,delete")});
>
> Without the first 2 entries, felix does not start, even though i mentioned
> it in policy file of the csp-gui-bootstrap.jar.
>
> I am purposely, not granting enough permissions with the
> setDefaultPermissions(), so that the other bundles fail to start. But to my
> surprise, everything starts fine. How is this possible?
>
> If I was unable to give a clear picture of the scenario, plz ask me specific
> questions.
>
> Awaiting reply.
> Krish.
> --
> View this message in context: http://www.nabble.com/Adding-permissions-in-Felix-tp20264359p20264359.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>



-- 
Karl Pauls
karlpauls@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message