felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hasan <ha...@trialox.org>
Subject Re: Please help in enabling security
Date Mon, 24 Nov 2008 09:50:55 GMT
Thanks Pierre,

My intention is just to give as many permissions as necessary to felix, 
but not all.
Thus, I assume there must be a way to define permissions for felix so 
that it can install
a new bundle without throwing exceptions. Since, if I gave felix all 
permissions there
is no such exception thrown.

Kind regards
Hasan

Pierre Parrend wrote:
>
> Dear Hassan,
>
> with the permissions, you have to define a specific URL Handler for 
> the http protocol. See the class 
> org.apache.felix.framework.URLHandlers (from my memory, the name may 
> be slighty different) for examples for other protocols.
>
> I have an implementation on another computer, you should manage to 
> adapt the code yourself, otherwise I can look for my old code.
>
> best regards,
> Pierre
>
> Hasan wrote:
>> Dear Pierre, dear all
>>
>> Thanks for the file. I use and modify your file (see below). With 
>> this policy file
>> however, I cannot install a new bundle. It throwed 
>> java.net.MalformedURLException:
>>
>> Welcome to Felix.
>> =================
>>
>> -> install 
>> http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar 
>>
>> java.net.MalformedURLException: Unknown protocol: http
>>
>> What must be added to the policy file so that it works? Thanks in 
>> advance for answering.
>>
>> -- BEGIN of my additional policy file used when starting felix-1.4.0 --
>> grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
>>    permission java.util.PropertyPermission "*", "read,write";
>>    permission java.io.FilePermission 
>> "${user.home}/sw/felix-1.4.0/conf/*", "read";
>>    permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-", 
>> "read,write,delete";
>>
>> //    permission java.io.FilePermission "${user.home}/-", 
>> "read,write,delete";
>>    permission java.io.FilePermission "bundle.lastmodified", "read";
>>    permission java.io.FilePermission "bundle/*", "read";
>>
>>    permission java.io.FilePermission "./felix-cache", "read,write";
>>    permission java.io.FilePermission "./felix-cache/-", 
>> "read,write,delete";
>>
>>    permission java.net.NetPermission "specifyStreamHandler";
>> //    permission java.net.SocketPermission "*", "resolve, connect";
>>    permission java.net.SocketPermission "*", 
>> "accept,connect,listen,resolve";
>>
>>    permission java.lang.RuntimePermission "createSecurityManager";
>>    permission java.lang.RuntimePermission "getProtectionDomain";
>>    permission java.lang.RuntimePermission "setFactory";
>>    permission java.lang.RuntimePermission "createClassLoader";
>>    permission java.lang.RuntimePermission 
>> "accessClassInPackage.sun.reflect";
>>    permission java.lang.RuntimePermission "accessDeclaredMembers";
>>    permission java.lang.RuntimePermission "shutdownHooks";
>>
>>    permission java.lang.reflect.ReflectPermission 
>> "suppressAccessChecks";
>>
>>    permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>    permission org.osgi.framework.AdminPermission "*", "metadata";
>>    permission org.osgi.framework.AdminPermission "*", "listener";
>>    permission org.osgi.framework.AdminPermission "*", "execute";
>>    permission org.osgi.framework.AdminPermission "*", "startlevel";
>>    permission org.osgi.framework.AdminPermission "*", 
>> "extensionLifecycle";
>>
>>    permission org.osgi.framework.PackagePermission "*", "export,import";
>>    permission org.osgi.framework.ServicePermission "*", "register,get";
>> };
>>
>> -- END of my additional policy file used when starting felix-1.4.0 --
>>
>> Kind regards
>> Hasan
>>
>> Pierre Parrend wrote:
>>>  Dear Hasan, dear all,
>>>
>>> here is a permission file which I used some times ago. You need to 
>>> adapt it
>>> to your own configuration, and probably to update it to match the 
>>> current
>>> state of the Felix implementation:
>>>
>>> grant codeBase "file:$FELIX_HOME/-" {
>>>
>>>     permission java.util.PropertyPermission "*", "read,write";
>>>     permission java.io.FilePermission "$FELIX_HOME/main/conf/*", 
>>> "read";
>>>
>>>     permission java.io.FilePermission "$USER_HOME/-", 
>>> "read,write,delete";
>>>     permission java.io.FilePermission "bundle.lastmodified", "read";
>>>     permission java.io.FilePermission "bundle/*", "read";
>>>
>>>     permission java.net.NetPermission "specifyStreamHandler";
>>>     permission java.net.SocketPermission "*", "resolve, connect";
>>>
>>>     permission java.lang.RuntimePermission "createSecurityManager";
>>>     permission java.lang.RuntimePermission "getProtectionDomain";
>>>     permission java.lang.RuntimePermission "setFactory";
>>>     permission java.lang.RuntimePermission "createClassLoader";
>>>     permission java.lang.RuntimePermission
>>> "accessClassInPackage.sun.reflect";
>>>     permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>     permission java.lang.RuntimePermission "shutdownHooks";
>>>
>>>     permission java.lang.reflect.ReflectPermission 
>>> "suppressAccessChecks";
>>>
>>>     permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>>     permission org.osgi.framework.AdminPermission "*", "metadata";
>>>     permission org.osgi.framework.AdminPermission "*", "listener";
>>>     permission org.osgi.framework.AdminPermission "*", "execute";
>>>
>>>     permission org.osgi.framework.PackagePermission "*", "export";
>>>     permission org.osgi.framework.ServicePermission "*", "register, 
>>> get";
>>> };
>>>
>>> When reading the file, I wonder while the PackagePermission is set to
>>> 'export' only, and do not include 'import'. If you get errors you 
>>> should add
>>> it simply.
>>>
>>> best regards,
>>> Pierre
>>>
>>> -- 
>>> ==============================================================
>>> Pierre Parrend
>>> Software Engineering (SE)
>>> Tel: +49 721 9654 - 620
>>> Fax: +49 721 9654 - 623
>>> E-Mail: parrend@fzi.de
>>>
>>> ==============================================================
>>>
>>> FZI Forschungszentrum Informatik an der Universität Karlsruhe
>>> Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
>>> Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959
>>>
>>> Stiftung des bürgerlichen Rechts
>>> Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe
>>>
>>> Vorstand:
>>> Prof. Dr.-Ing. Rüdiger Dillmann
>>> Dipl. Wi.-Ing. Michael Flor
>>> Prof. Dr. Dr.-Ing. Jivka Ovtcharova
>>> Prof. Dr. rer. nat. Rudi Studer
>>>
>>> Vorsitzender des Kuratoriums:
>>> Ministerialdirigent Günther Leßnerkraus
>>>
>>> ==============================================================
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Hasan [mailto:hasan@trialox.org]
>>> Sent: Wed 11/19/2008 11:36 AM
>>> To: users@felix.apache.org
>>> Subject: Re: Please help in enabling security
>>>  
>>> Hi again,
>>>
>>> If I put the following line in all.policy
>>> grant { permission java.security.AllPermission; };
>>>
>>> then I can start felix successfully.
>>> I hope this solve my problem starting felix with security enabled.
>>>
>>> Note, that in the slide set "Building Secure OSGi Applications"
>>> the line reads as follows which I think is wrong:
>>> grant { permission java.lang.AllPermission };
>>>
>>> Regards
>>> Hasan
>>>
>>> Hasan wrote:
>>>  
>>>> Dear all
>>>>
>>>> We would like to use osgi security mechanism (conditional 
>>>> permission admin) and thus
>>>> are trying to enable security when invoking felix (version 1.4.0) 
>>>> as follows
>>>>
>>>> $ java -Djava.security.manager -Djava.security.policy=all.policy 
>>>> -jar bin/felix.jar
>>>>
>>>> There were some AccessControlException which we could fix by 
>>>> adapting java.policy file
>>>> In the end however, we got a NullPointerException as shown below.
>>>>
>>>> -- BEGIN OF FELIX ERROR MESSAGE --
>>>> Welcome to Felix.
>>>> =================
>>>>
>>>> ERROR: Unable to start system bundle. 
>>>> (java.lang.NullPointerException: Specified service reference cannot 
>>>> be null.)
>>>> java.lang.NullPointerException: Specified service reference cannot 
>>>> be null.
>>>>    at
>>>>     
>>> org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja

>>>
>>> va:320) 
>>>>    at
>>>>     
>>> org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java

>>>
>>> :77) 
>>>>    at org.apache.felix.main.AutoActivator.start(AutoActivator.java:55)
>>>>    at
>>>>     
>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1

>>>
>>> 071) 
>>>>    at java.security.AccessController.doPrivileged(Native Method)
>>>>    at
>>>>     
>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav

>>>
>>> a:580) 
>>>>    at
>>>>     
>>> org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761

>>>
>>> ) 
>>>>    at
>>>>     
>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1

>>>
>>> 071) 
>>>>    at java.security.AccessController.doPrivileged(Native Method)
>>>>    at
>>>>     
>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav

>>>
>>> a:580) 
>>>>    at org.apache.felix.framework.Felix.init(Felix.java:849)
>>>>    at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>    at org.apache.felix.main.Main.main(Main.java:213)
>>>> Could not create framework: java.lang.RuntimeException: Unable to 
>>>> start system bundle.
>>>> java.lang.RuntimeException: Unable to start system bundle.
>>>>    at org.apache.felix.framework.Felix.init(Felix.java:857)
>>>>    at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>    at org.apache.felix.main.Main.main(Main.java:213)
>>>>
>>>> -- END OF FELIX ERROR MESSAGE --
>>>>
>>>> Any help and tips to enable security and solve this problem is 
>>>> highly appreciated.
>>>>
>>>> Kind regards
>>>> Hasan
>>>>
>>>>     
>>>
>>>   
>>
>

-- 
--trialox ag--------------------------------------

  Hasan Hasan
  Binzmühlestrasse 14
  CH-8050 Zürich
  Tel: 0041-44-63 57577
  Fax: 0041-44-63 57574
  URL: http://www.trialox.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message