felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Pauls" <karlpa...@gmail.com>
Subject Re: Please help in enabling security
Date Mon, 24 Nov 2008 09:58:25 GMT
Hello Hasan,

the framework needs allpermission. That is what the OSGi specification
requires. It might be possible to limit it to specific permissions but
it wouldn't be much left. Now, when the framework has allpermissions
that doesn't have to imply that bundles have allpermissions as well.
However, at the moment that is the case if you use the standard felix
only. What you would have to do is to use the PermissionAdmin service
or the ConditionalPermissionAdmin service to set the permissions for a
bundle.

Problem is, we don't have released versions of the two services. We do
have some implementations in trunk but they are in an alpha state. In
case you want to give it a try: build the framework.security
subproject (in trunk/framework.security) and install the resulting
artifact as a bundle into felix. That will make the two services
available. See the core spec for how to use them.

regards,

Karl

On Mon, Nov 24, 2008 at 10:50 AM, Hasan <hasan@trialox.org> wrote:
> Thanks Pierre,
>
> My intention is just to give as many permissions as necessary to felix, but
> not all.
> Thus, I assume there must be a way to define permissions for felix so that
> it can install
> a new bundle without throwing exceptions. Since, if I gave felix all
> permissions there
> is no such exception thrown.
>
> Kind regards
> Hasan
>
> Pierre Parrend wrote:
>>
>> Dear Hassan,
>>
>> with the permissions, you have to define a specific URL Handler for the
>> http protocol. See the class org.apache.felix.framework.URLHandlers (from my
>> memory, the name may be slighty different) for examples for other protocols.
>>
>> I have an implementation on another computer, you should manage to adapt
>> the code yourself, otherwise I can look for my old code.
>>
>> best regards,
>> Pierre
>>
>> Hasan wrote:
>>>
>>> Dear Pierre, dear all
>>>
>>> Thanks for the file. I use and modify your file (see below). With this
>>> policy file
>>> however, I cannot install a new bundle. It throwed
>>> java.net.MalformedURLException:
>>>
>>> Welcome to Felix.
>>> =================
>>>
>>> -> install
>>> http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
>>> java.net.MalformedURLException: Unknown protocol: http
>>>
>>> What must be added to the policy file so that it works? Thanks in advance
>>> for answering.
>>>
>>> -- BEGIN of my additional policy file used when starting felix-1.4.0 --
>>> grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
>>>   permission java.util.PropertyPermission "*", "read,write";
>>>   permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/conf/*",
>>> "read";
>>>   permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-",
>>> "read,write,delete";
>>>
>>> //    permission java.io.FilePermission "${user.home}/-",
>>> "read,write,delete";
>>>   permission java.io.FilePermission "bundle.lastmodified", "read";
>>>   permission java.io.FilePermission "bundle/*", "read";
>>>
>>>   permission java.io.FilePermission "./felix-cache", "read,write";
>>>   permission java.io.FilePermission "./felix-cache/-",
>>> "read,write,delete";
>>>
>>>   permission java.net.NetPermission "specifyStreamHandler";
>>> //    permission java.net.SocketPermission "*", "resolve, connect";
>>>   permission java.net.SocketPermission "*",
>>> "accept,connect,listen,resolve";
>>>
>>>   permission java.lang.RuntimePermission "createSecurityManager";
>>>   permission java.lang.RuntimePermission "getProtectionDomain";
>>>   permission java.lang.RuntimePermission "setFactory";
>>>   permission java.lang.RuntimePermission "createClassLoader";
>>>   permission java.lang.RuntimePermission
>>> "accessClassInPackage.sun.reflect";
>>>   permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>   permission java.lang.RuntimePermission "shutdownHooks";
>>>
>>>   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>>>
>>>   permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>>   permission org.osgi.framework.AdminPermission "*", "metadata";
>>>   permission org.osgi.framework.AdminPermission "*", "listener";
>>>   permission org.osgi.framework.AdminPermission "*", "execute";
>>>   permission org.osgi.framework.AdminPermission "*", "startlevel";
>>>   permission org.osgi.framework.AdminPermission "*",
>>> "extensionLifecycle";
>>>
>>>   permission org.osgi.framework.PackagePermission "*", "export,import";
>>>   permission org.osgi.framework.ServicePermission "*", "register,get";
>>> };
>>>
>>> -- END of my additional policy file used when starting felix-1.4.0 --
>>>
>>> Kind regards
>>> Hasan
>>>
>>> Pierre Parrend wrote:
>>>>
>>>>  Dear Hasan, dear all,
>>>>
>>>> here is a permission file which I used some times ago. You need to adapt
>>>> it
>>>> to your own configuration, and probably to update it to match the
>>>> current
>>>> state of the Felix implementation:
>>>>
>>>> grant codeBase "file:$FELIX_HOME/-" {
>>>>
>>>>    permission java.util.PropertyPermission "*", "read,write";
>>>>    permission java.io.FilePermission "$FELIX_HOME/main/conf/*", "read";
>>>>
>>>>    permission java.io.FilePermission "$USER_HOME/-",
>>>> "read,write,delete";
>>>>    permission java.io.FilePermission "bundle.lastmodified", "read";
>>>>    permission java.io.FilePermission "bundle/*", "read";
>>>>
>>>>    permission java.net.NetPermission "specifyStreamHandler";
>>>>    permission java.net.SocketPermission "*", "resolve, connect";
>>>>
>>>>    permission java.lang.RuntimePermission "createSecurityManager";
>>>>    permission java.lang.RuntimePermission "getProtectionDomain";
>>>>    permission java.lang.RuntimePermission "setFactory";
>>>>    permission java.lang.RuntimePermission "createClassLoader";
>>>>    permission java.lang.RuntimePermission
>>>> "accessClassInPackage.sun.reflect";
>>>>    permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>>    permission java.lang.RuntimePermission "shutdownHooks";
>>>>
>>>>    permission java.lang.reflect.ReflectPermission
>>>> "suppressAccessChecks";
>>>>
>>>>    permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>>>    permission org.osgi.framework.AdminPermission "*", "metadata";
>>>>    permission org.osgi.framework.AdminPermission "*", "listener";
>>>>    permission org.osgi.framework.AdminPermission "*", "execute";
>>>>
>>>>    permission org.osgi.framework.PackagePermission "*", "export";
>>>>    permission org.osgi.framework.ServicePermission "*", "register, get";
>>>> };
>>>>
>>>> When reading the file, I wonder while the PackagePermission is set to
>>>> 'export' only, and do not include 'import'. If you get errors you should
>>>> add
>>>> it simply.
>>>>
>>>> best regards,
>>>> Pierre
>>>>
>>>> --
>>>> ==============================================================
>>>> Pierre Parrend
>>>> Software Engineering (SE)
>>>> Tel: +49 721 9654 - 620
>>>> Fax: +49 721 9654 - 623
>>>> E-Mail: parrend@fzi.de
>>>>
>>>> ==============================================================
>>>>
>>>> FZI Forschungszentrum Informatik an der Universität Karlsruhe
>>>> Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
>>>> Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959
>>>>
>>>> Stiftung des bürgerlichen Rechts
>>>> Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe
>>>>
>>>> Vorstand:
>>>> Prof. Dr.-Ing. Rüdiger Dillmann
>>>> Dipl. Wi.-Ing. Michael Flor
>>>> Prof. Dr. Dr.-Ing. Jivka Ovtcharova
>>>> Prof. Dr. rer. nat. Rudi Studer
>>>>
>>>> Vorsitzender des Kuratoriums:
>>>> Ministerialdirigent Günther Leßnerkraus
>>>>
>>>> ==============================================================
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Hasan [mailto:hasan@trialox.org]
>>>> Sent: Wed 11/19/2008 11:36 AM
>>>> To: users@felix.apache.org
>>>> Subject: Re: Please help in enabling security
>>>>  Hi again,
>>>>
>>>> If I put the following line in all.policy
>>>> grant { permission java.security.AllPermission; };
>>>>
>>>> then I can start felix successfully.
>>>> I hope this solve my problem starting felix with security enabled.
>>>>
>>>> Note, that in the slide set "Building Secure OSGi Applications"
>>>> the line reads as follows which I think is wrong:
>>>> grant { permission java.lang.AllPermission };
>>>>
>>>> Regards
>>>> Hasan
>>>>
>>>> Hasan wrote:
>>>>
>>>>>
>>>>> Dear all
>>>>>
>>>>> We would like to use osgi security mechanism (conditional permission
>>>>> admin) and thus
>>>>> are trying to enable security when invoking felix (version 1.4.0) as
>>>>> follows
>>>>>
>>>>> $ java -Djava.security.manager -Djava.security.policy=all.policy -jar
>>>>> bin/felix.jar
>>>>>
>>>>> There were some AccessControlException which we could fix by adapting
>>>>> java.policy file
>>>>> In the end however, we got a NullPointerException as shown below.
>>>>>
>>>>> -- BEGIN OF FELIX ERROR MESSAGE --
>>>>> Welcome to Felix.
>>>>> =================
>>>>>
>>>>> ERROR: Unable to start system bundle. (java.lang.NullPointerException:
>>>>> Specified service reference cannot be null.)
>>>>> java.lang.NullPointerException: Specified service reference cannot be
>>>>> null.
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja
>>>> va:320)
>>>>>
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java
>>>> :77)
>>>>>
>>>>>   at org.apache.felix.main.AutoActivator.start(AutoActivator.java:55)
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
>>>> 071)
>>>>>
>>>>>   at java.security.AccessController.doPrivileged(Native Method)
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
>>>> a:580)
>>>>>
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761
>>>> )
>>>>>
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
>>>> 071)
>>>>>
>>>>>   at java.security.AccessController.doPrivileged(Native Method)
>>>>>   at
>>>>>
>>>>
>>>>
>>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
>>>> a:580)
>>>>>
>>>>>   at org.apache.felix.framework.Felix.init(Felix.java:849)
>>>>>   at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>>   at org.apache.felix.main.Main.main(Main.java:213)
>>>>> Could not create framework: java.lang.RuntimeException: Unable to start
>>>>> system bundle.
>>>>> java.lang.RuntimeException: Unable to start system bundle.
>>>>>   at org.apache.felix.framework.Felix.init(Felix.java:857)
>>>>>   at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>>   at org.apache.felix.main.Main.main(Main.java:213)
>>>>>
>>>>> -- END OF FELIX ERROR MESSAGE --
>>>>>
>>>>> Any help and tips to enable security and solve this problem is highly
>>>>> appreciated.
>>>>>
>>>>> Kind regards
>>>>> Hasan
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
> --
> --trialox ag--------------------------------------
>
>  Hasan Hasan
>  Binzmühlestrasse 14
>  CH-8050 Zürich
>  Tel: 0041-44-63 57577
>  Fax: 0041-44-63 57574
>  URL: http://www.trialox.ch
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>



-- 
Karl Pauls
karlpauls@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message