felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hasan <ha...@trialox.org>
Subject Re: Please help in enabling security
Date Mon, 24 Nov 2008 10:09:38 GMT
Dear Karl, dear Pierre,

Thanks for the prompt reply.
I will try Karl's suggestion.

Best regards
Hasan

Karl Pauls wrote:
> Hello Hasan,
>
> the framework needs allpermission. That is what the OSGi specification
> requires. It might be possible to limit it to specific permissions but
> it wouldn't be much left. Now, when the framework has allpermissions
> that doesn't have to imply that bundles have allpermissions as well.
> However, at the moment that is the case if you use the standard felix
> only. What you would have to do is to use the PermissionAdmin service
> or the ConditionalPermissionAdmin service to set the permissions for a
> bundle.
>
> Problem is, we don't have released versions of the two services. We do
> have some implementations in trunk but they are in an alpha state. In
> case you want to give it a try: build the framework.security
> subproject (in trunk/framework.security) and install the resulting
> artifact as a bundle into felix. That will make the two services
> available. See the core spec for how to use them.
>
> regards,
>
> Karl
>
> On Mon, Nov 24, 2008 at 10:50 AM, Hasan <hasan@trialox.org> wrote:
>   
>> Thanks Pierre,
>>
>> My intention is just to give as many permissions as necessary to felix, but
>> not all.
>> Thus, I assume there must be a way to define permissions for felix so that
>> it can install
>> a new bundle without throwing exceptions. Since, if I gave felix all
>> permissions there
>> is no such exception thrown.
>>
>> Kind regards
>> Hasan
>>
>> Pierre Parrend wrote:
>>     
>>> Dear Hassan,
>>>
>>> with the permissions, you have to define a specific URL Handler for the
>>> http protocol. See the class org.apache.felix.framework.URLHandlers (from my
>>> memory, the name may be slighty different) for examples for other protocols.
>>>
>>> I have an implementation on another computer, you should manage to adapt
>>> the code yourself, otherwise I can look for my old code.
>>>
>>> best regards,
>>> Pierre
>>>
>>> Hasan wrote:
>>>       
>>>> Dear Pierre, dear all
>>>>
>>>> Thanks for the file. I use and modify your file (see below). With this
>>>> policy file
>>>> however, I cannot install a new bundle. It throwed
>>>> java.net.MalformedURLException:
>>>>
>>>> Welcome to Felix.
>>>> =================
>>>>
>>>> -> install
>>>> http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
>>>> java.net.MalformedURLException: Unknown protocol: http
>>>>
>>>> What must be added to the policy file so that it works? Thanks in advance
>>>> for answering.
>>>>
>>>> -- BEGIN of my additional policy file used when starting felix-1.4.0 --
>>>> grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
>>>>   permission java.util.PropertyPermission "*", "read,write";
>>>>   permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/conf/*",
>>>> "read";
>>>>   permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-",
>>>> "read,write,delete";
>>>>
>>>> //    permission java.io.FilePermission "${user.home}/-",
>>>> "read,write,delete";
>>>>   permission java.io.FilePermission "bundle.lastmodified", "read";
>>>>   permission java.io.FilePermission "bundle/*", "read";
>>>>
>>>>   permission java.io.FilePermission "./felix-cache", "read,write";
>>>>   permission java.io.FilePermission "./felix-cache/-",
>>>> "read,write,delete";
>>>>
>>>>   permission java.net.NetPermission "specifyStreamHandler";
>>>> //    permission java.net.SocketPermission "*", "resolve, connect";
>>>>   permission java.net.SocketPermission "*",
>>>> "accept,connect,listen,resolve";
>>>>
>>>>   permission java.lang.RuntimePermission "createSecurityManager";
>>>>   permission java.lang.RuntimePermission "getProtectionDomain";
>>>>   permission java.lang.RuntimePermission "setFactory";
>>>>   permission java.lang.RuntimePermission "createClassLoader";
>>>>   permission java.lang.RuntimePermission
>>>> "accessClassInPackage.sun.reflect";
>>>>   permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>>   permission java.lang.RuntimePermission "shutdownHooks";
>>>>
>>>>   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>>>>
>>>>   permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>>>   permission org.osgi.framework.AdminPermission "*", "metadata";
>>>>   permission org.osgi.framework.AdminPermission "*", "listener";
>>>>   permission org.osgi.framework.AdminPermission "*", "execute";
>>>>   permission org.osgi.framework.AdminPermission "*", "startlevel";
>>>>   permission org.osgi.framework.AdminPermission "*",
>>>> "extensionLifecycle";
>>>>
>>>>   permission org.osgi.framework.PackagePermission "*", "export,import";
>>>>   permission org.osgi.framework.ServicePermission "*", "register,get";
>>>> };
>>>>
>>>> -- END of my additional policy file used when starting felix-1.4.0 --
>>>>
>>>> Kind regards
>>>> Hasan
>>>>
>>>> Pierre Parrend wrote:
>>>>         
>>>>>  Dear Hasan, dear all,
>>>>>
>>>>> here is a permission file which I used some times ago. You need to adapt
>>>>> it
>>>>> to your own configuration, and probably to update it to match the
>>>>> current
>>>>> state of the Felix implementation:
>>>>>
>>>>> grant codeBase "file:$FELIX_HOME/-" {
>>>>>
>>>>>    permission java.util.PropertyPermission "*", "read,write";
>>>>>    permission java.io.FilePermission "$FELIX_HOME/main/conf/*", "read";
>>>>>
>>>>>    permission java.io.FilePermission "$USER_HOME/-",
>>>>> "read,write,delete";
>>>>>    permission java.io.FilePermission "bundle.lastmodified", "read";
>>>>>    permission java.io.FilePermission "bundle/*", "read";
>>>>>
>>>>>    permission java.net.NetPermission "specifyStreamHandler";
>>>>>    permission java.net.SocketPermission "*", "resolve, connect";
>>>>>
>>>>>    permission java.lang.RuntimePermission "createSecurityManager";
>>>>>    permission java.lang.RuntimePermission "getProtectionDomain";
>>>>>    permission java.lang.RuntimePermission "setFactory";
>>>>>    permission java.lang.RuntimePermission "createClassLoader";
>>>>>    permission java.lang.RuntimePermission
>>>>> "accessClassInPackage.sun.reflect";
>>>>>    permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>>>    permission java.lang.RuntimePermission "shutdownHooks";
>>>>>
>>>>>    permission java.lang.reflect.ReflectPermission
>>>>> "suppressAccessChecks";
>>>>>
>>>>>    permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>>>>    permission org.osgi.framework.AdminPermission "*", "metadata";
>>>>>    permission org.osgi.framework.AdminPermission "*", "listener";
>>>>>    permission org.osgi.framework.AdminPermission "*", "execute";
>>>>>
>>>>>    permission org.osgi.framework.PackagePermission "*", "export";
>>>>>    permission org.osgi.framework.ServicePermission "*", "register, get";
>>>>> };
>>>>>
>>>>> When reading the file, I wonder while the PackagePermission is set to
>>>>> 'export' only, and do not include 'import'. If you get errors you should
>>>>> add
>>>>> it simply.
>>>>>
>>>>> best regards,
>>>>> Pierre
>>>>>
>>>>> --
>>>>> ==============================================================
>>>>> Pierre Parrend
>>>>> Software Engineering (SE)
>>>>> Tel: +49 721 9654 - 620
>>>>> Fax: +49 721 9654 - 623
>>>>> E-Mail: parrend@fzi.de
>>>>>
>>>>> ==============================================================
>>>>>
>>>>> FZI Forschungszentrum Informatik an der Universität Karlsruhe
>>>>> Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
>>>>> Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959
>>>>>
>>>>> Stiftung des bürgerlichen Rechts
>>>>> Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe
>>>>>
>>>>> Vorstand:
>>>>> Prof. Dr.-Ing. Rüdiger Dillmann
>>>>> Dipl. Wi.-Ing. Michael Flor
>>>>> Prof. Dr. Dr.-Ing. Jivka Ovtcharova
>>>>> Prof. Dr. rer. nat. Rudi Studer
>>>>>
>>>>> Vorsitzender des Kuratoriums:
>>>>> Ministerialdirigent Günther Leßnerkraus
>>>>>
>>>>> ==============================================================
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Hasan [mailto:hasan@trialox.org]
>>>>> Sent: Wed 11/19/2008 11:36 AM
>>>>> To: users@felix.apache.org
>>>>> Subject: Re: Please help in enabling security
>>>>>  Hi again,
>>>>>
>>>>> If I put the following line in all.policy
>>>>> grant { permission java.security.AllPermission; };
>>>>>
>>>>> then I can start felix successfully.
>>>>> I hope this solve my problem starting felix with security enabled.
>>>>>
>>>>> Note, that in the slide set "Building Secure OSGi Applications"
>>>>> the line reads as follows which I think is wrong:
>>>>> grant { permission java.lang.AllPermission };
>>>>>
>>>>> Regards
>>>>> Hasan
>>>>>
>>>>> Hasan wrote:
>>>>>
>>>>>           
>>>>>> Dear all
>>>>>>
>>>>>> We would like to use osgi security mechanism (conditional permission
>>>>>> admin) and thus
>>>>>> are trying to enable security when invoking felix (version 1.4.0)
as
>>>>>> follows
>>>>>>
>>>>>> $ java -Djava.security.manager -Djava.security.policy=all.policy
-jar
>>>>>> bin/felix.jar
>>>>>>
>>>>>> There were some AccessControlException which we could fix by adapting
>>>>>> java.policy file
>>>>>> In the end however, we got a NullPointerException as shown below.
>>>>>>
>>>>>> -- BEGIN OF FELIX ERROR MESSAGE --
>>>>>> Welcome to Felix.
>>>>>> =================
>>>>>>
>>>>>> ERROR: Unable to start system bundle. (java.lang.NullPointerException:
>>>>>> Specified service reference cannot be null.)
>>>>>> java.lang.NullPointerException: Specified service reference cannot
be
>>>>>> null.
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja
>>>>> va:320)
>>>>>           
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java
>>>>> :77)
>>>>>           
>>>>>>   at org.apache.felix.main.AutoActivator.start(AutoActivator.java:55)
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
>>>>> 071)
>>>>>           
>>>>>>   at java.security.AccessController.doPrivileged(Native Method)
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
>>>>> a:580)
>>>>>           
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761
>>>>> )
>>>>>           
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
>>>>> 071)
>>>>>           
>>>>>>   at java.security.AccessController.doPrivileged(Native Method)
>>>>>>   at
>>>>>>
>>>>>>             
>>>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
>>>>> a:580)
>>>>>           
>>>>>>   at org.apache.felix.framework.Felix.init(Felix.java:849)
>>>>>>   at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>>>   at org.apache.felix.main.Main.main(Main.java:213)
>>>>>> Could not create framework: java.lang.RuntimeException: Unable to
start
>>>>>> system bundle.
>>>>>> java.lang.RuntimeException: Unable to start system bundle.
>>>>>>   at org.apache.felix.framework.Felix.init(Felix.java:857)
>>>>>>   at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>>>   at org.apache.felix.main.Main.main(Main.java:213)
>>>>>>
>>>>>> -- END OF FELIX ERROR MESSAGE --
>>>>>>
>>>>>> Any help and tips to enable security and solve this problem is highly
>>>>>> appreciated.
>>>>>>
>>>>>> Kind regards
>>>>>> Hasan
>>>>>>
>>>>>>
>>>>>>             
>>>>>           
>> --
>> --trialox ag--------------------------------------
>>
>>  Hasan Hasan
>>  Binzmühlestrasse 14
>>  CH-8050 Zürich
>>  Tel: 0041-44-63 57577
>>  Fax: 0041-44-63 57574
>>  URL: http://www.trialox.ch
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>> For additional commands, e-mail: users-help@felix.apache.org
>>
>>
>>     
>
>
>
>   

-- 
--trialox ag--------------------------------------

  Hasan Hasan
  Binzmühlestrasse 14
  CH-8050 Zürich
  Tel: 0041-44-63 57577
  Fax: 0041-44-63 57574
  URL: http://www.trialox.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message