felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hasan <ha...@trialox.org>
Subject Re: Please help in enabling security
Date Mon, 24 Nov 2008 16:33:56 GMT
Dear Karl

Thank you very much for the tip! Now it works!

With best regards
Hasan

Karl Pauls wrote:
> Well, this really is starting to go more into the java security model
> but as you can see in the slides too the issue seems to be that scr is
> on the call stack. You did give your bundle allpermissions but the the
> scr bundle -- hence, the exception. Now, given scr allpermission with
> scr being on the call stack is more tricky because you have a circular
> dependency. The way to solve this is either to give all bundles from a
> certain location prefix allpermissions or you need to make sure you do
> security sensitive calls in a doPriviledged block. In other words, try
> something like:
>
> AccessController.doPrivileged(new PrivilegedAction() {
>             public Object run() {
>                 ´cpa.addConditionalPermissionInfo(new ConditionInfo[]{
>                    new ConditionInfo(BundleLocationCondition.class.getName(),
>                    new
> String[]{context.getBundleContext().getBundle(1).getLocation()})
>                },
>                new PermissionInfo[]{
>                    new PermissionInfo(
>                    AllPermission.class.getName(), "", "")
>                });
>
>                // Add other permissions
>                 return null; // nothing to return
>             }
>         });
>
>
> regards,
>
> Karl
>
> On Mon, Nov 24, 2008 at 3:33 PM, Hasan <hasan@trialox.org> wrote:
>   
>> Dear Karl,
>>
>> We tried your suggestions as follows: we add these lines in the activate
>> method of our management agent
>>
>>       cpa.addConditionalPermissionInfo(new ConditionInfo[]{
>>                   new ConditionInfo(BundleLocationCondition.class.getName(),
>>                   new
>> String[]{context.getBundleContext().getBundle().getLocation()})
>>               },
>>               new PermissionInfo[]{
>>                   new PermissionInfo(
>>                   AllPermission.class.getName(), "", "")
>>               });
>>
>>       System.out.println("test");
>>       cpa.addConditionalPermissionInfo(new ConditionInfo[]{
>>                   new ConditionInfo(BundleLocationCondition.class.getName(),
>>                   new
>> String[]{context.getBundleContext().getBundle(1).getLocation()})
>>               },
>>               new PermissionInfo[]{
>>                   new PermissionInfo(
>>                   AllPermission.class.getName(), "", "")
>>               });
>>
>> with the following results:
>>
>> -> start
>> file:///home/hasan/workspaces/trialox/spike/permmgmtagent/target/permmgmt-1.0-SNAPSHOT.jar
>> -> Binding ConditionalPermissionAdmin
>> Activating PermissionManager
>> test
>> ERROR: org.example.trialox.permmgmt (6):
>> [org.example.trialox.permmgmt.PermissionManager] The activate method has
>> thrown an exception
>> java.security.AccessControlException: access denied
>> (org.osgi.framework.AdminPermission (id=1) metadata)
>>   at
>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>>   at
>> java.security.AccessController.checkPermission(AccessController.java:546)
>>   at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>   at org.apache.felix.framework.BundleImpl.getLocation(BundleImpl.java:159)
>>   at
>> org.example.trialox.permmgmt.PermissionManager.activate(PermissionManager.java:49)
>>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>   at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>   at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>   at java.lang.reflect.Method.invoke(Method.java:597)
>>   at
>> org.apache.felix.scr.impl.ImmediateComponentManager.createImplementationObject(ImmediateComponentManager.java:226)
>>   at
>> org.apache.felix.scr.impl.ImmediateComponentManager.createComponent(ImmediateComponentManager.java:133)
>>   at
>> org.apache.felix.scr.impl.AbstractComponentManager.activateInternal(AbstractComponentManager.java:476)
>>   at
>> org.apache.felix.scr.impl.AbstractComponentManager.enableInternal(AbstractComponentManager.java:398)
>>   at
>> org.apache.felix.scr.impl.AbstractComponentManager.access$000(AbstractComponentManager.java:36)
>>   at
>> org.apache.felix.scr.impl.AbstractComponentManager$1.run(AbstractComponentManager.java:99)
>>   at
>> org.apache.felix.scr.impl.ComponentActorThread.run(ComponentActorThread.java:85)
>>
>>
>> It seems we can give the management agent all permissions but we cannot give
>> bundle 1 all permissions.
>> Do we miss something here?
>>
>> We have taken a look at the slide sets from the link. Could we probably have
>> access to the codes of those
>> tasks mentioned in the slides?
>>
>> Thanks and best regards
>> Hasan
>>
>> Karl Pauls wrote:
>>     
>>> Well, you have to understand that as soon as you use (i.e., set
>>> permissions) any of the permission services you define the permission
>>> space for all bundles. So the first thing for your management agent
>>> (i.e., the bundle that you present below) is to give itself
>>> allpermission! Next, it probably is a good idea to give allpermission
>>> to bundle 1,2, and 4. In case you want to use obr give allpermission
>>> to bundle 3 as well. Then you can define the permissions for your
>>> other bundles on a more fine grained basis.
>>>
>>> regards,
>>>
>>> Karl
>>>
>>> p.s.: not sure whether this will help you:
>>>
>>>
>>> http://felix.apache.org/site/presentations.data/Building%20Secure%20OSGi%20Applications.pdf
>>>
>>> On Mon, Nov 24, 2008 at 2:23 PM, Hasan <hasan@trialox.org> wrote:
>>>
>>>       
>>>> Dear Karl
>>>>
>>>> We have built the framework.security and installed it as a bundle.
>>>> Additionally, we have written two bundles: TestBundle and
>>>> PermissionManager.
>>>> The TestBundle is supposed to be able to create a file if the
>>>> PermissionManager
>>>> sets the required Permissions.
>>>> We use scr to bind the ConditionalPermissionAdmin service in the
>>>> PermissionManager.
>>>> However, we already got errors when we install and start
>>>> PermissionManager.
>>>> (the command services in felix listed no service and the command ps in
>>>> felix
>>>> said
>>>> StartLevel service is unavailable).
>>>>
>>>> Could you please advice what we may have done wrong? what we have to do
>>>> before
>>>> we may define permissions?
>>>>
>>>> Please find below the contents of PermissionManager and the output of
>>>> felix
>>>> session.
>>>>
>>>> The contents of PermissionManager:
>>>> ----------------------------------
>>>> package org.example.permmgmt;
>>>> import java.io.FilePermission;
>>>>
>>>> import org.osgi.service.component.ComponentContext;
>>>> import org.osgi.service.condpermadmin.BundleLocationCondition;
>>>> import org.osgi.service.condpermadmin.ConditionInfo;
>>>> import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
>>>> import org.osgi.service.permissionadmin.PermissionInfo;
>>>>
>>>> /**
>>>> *
>>>> * @scr.component
>>>> * @scr.reference name="conditionalPermissionAdmin"
>>>> *      cardinality="0..n" policy="dynamic"
>>>> *
>>>>  interface="org.osgi.service.condpermadmin.ConditionalPermissionAdmin"
>>>> *
>>>> */
>>>> public class PermissionManager {
>>>>
>>>>  private ConditionalPermissionAdmin cpa;
>>>>
>>>>  protected void activate(ComponentContext context) throws Exception {
>>>>      System.out.println("Activating PermissionManager");
>>>>
>>>>      if (cpa == null) {
>>>>          System.out.println("No ConditionalPermissionAdmin service");
>>>>          return;
>>>>      }
>>>>      cpa.addConditionalPermissionInfo(
>>>>              new ConditionInfo[]{
>>>>                  new ConditionInfo(
>>>>                  BundleLocationCondition.class.getName(),
>>>>                  new
>>>>
>>>> String[]{"file:/home/hasan/workspaces/testbundle1/target/testbundle1-1.0-SNAPSHOT.jar"})
>>>>              },
>>>>              new PermissionInfo[]{
>>>>                  new PermissionInfo(
>>>>                  FilePermission.class.getName(), "helloWorld.txt",
>>>> "write")
>>>>              });
>>>>      System.out.println("cpi added");
>>>>  }
>>>>
>>>>  protected void bindConditionalPermissionAdmin(ConditionalPermissionAdmin
>>>> cpa) {
>>>>      System.out.println("Binding ConditionalPermissionAdmin");
>>>>      this.cpa = cpa;
>>>>  }
>>>>
>>>>  protected void
>>>> unbindConditionalPermissionAdmin(ConditionalPermissionAdmin
>>>> cpa) {
>>>>      this.cpa = null;
>>>>  }
>>>> }
>>>>
>>>>
>>>>
>>>> And the output of felix:
>>>> ------------------------
>>>> Welcome to Felix.
>>>> =================
>>>>
>>>> -> ps
>>>> START LEVEL 1
>>>>  ID   State         Level  Name
>>>> [   0] [Active     ] [    0] System Bundle (1.4.0)
>>>> [   1] [Active     ] [    1] Apache Felix Shell Service (1.0.2)
>>>> [   2] [Active     ] [    1] Apache Felix Shell TUI (1.0.2)
>>>> [   3] [Active     ] [    1] Apache Felix Bundle Repository (1.2.1)
>>>> -> start
>>>>
>>>> http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
>>>> -> start
>>>>
>>>> file:///home/hasan/workspaces/framework.security/target/org.apache.felix.framework.security-0.9.0-SNAPSHOT.jar
>>>> -> ps
>>>> START LEVEL 1
>>>>  ID   State         Level  Name
>>>> [   0] [Active     ] [    0] System Bundle (1.4.0)
>>>> [   1] [Active     ] [    1] Apache Felix Shell Service (1.0.2)
>>>> [   2] [Active     ] [    1] Apache Felix Shell TUI (1.0.2)
>>>> [   3] [Active     ] [    1] Apache Felix Bundle Repository (1.2.1)
>>>> [   4] [Active     ] [    1] Apache Felix Declarative Services (1.0.6)
>>>> [   5] [Resolved   ] [    1] Apache Felix Security Provider
>>>> (0.9.0.SNAPSHOT)
>>>> -> services
>>>>
>>>> System Bundle (0) provides:
>>>> ---------------------------
>>>> org.osgi.service.startlevel.StartLevel
>>>> org.osgi.service.packageadmin.PackageAdmin
>>>> org.osgi.service.permissionadmin.PermissionAdmin
>>>> org.osgi.service.condpermadmin.ConditionalPermissionAdmin
>>>>
>>>> Apache Felix Shell Service (1) provides:
>>>> ----------------------------------------
>>>> org.apache.felix.shell.ShellService,
>>>> org.ungoverned.osgi.service.shell.ShellService
>>>>
>>>> Apache Felix Bundle Repository (3) provides:
>>>> --------------------------------------------
>>>> org.osgi.service.obr.RepositoryAdmin
>>>>
>>>> Apache Felix Declarative Services (4) provides:
>>>> -----------------------------------------------
>>>> org.apache.felix.scr.ScrService
>>>> -> start
>>>>
>>>> file:///home/hasan/workspaces/permmgmtagent/target/permmgmt-1.0-SNAPSHOT.jar
>>>> -> Binding ConditionalPermissionAdmin
>>>> Activating PermissionManager
>>>>
>>>> -> services
>>>> -> ps
>>>> StartLevel service is unavailable.
>>>>  ID   State        Name
>>>> ShellTui: java.security.AccessControlException: access denied
>>>> (org.osgi.framework.AdminPermission (id=0) metadata)
>>>> java.security.AccessControlException: access denied
>>>> (org.osgi.framework.AdminPermission (id=0) metadata)
>>>>  at
>>>>
>>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>>>>  at
>>>> java.security.AccessController.checkPermission(AccessController.java:546)
>>>>  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>>>  at org.apache.felix.framework.Felix.getHeaders(Felix.java:480)
>>>>  at org.apache.felix.framework.Felix.getHeaders(Felix.java:471)
>>>>  at
>>>> org.apache.felix.shell.impl.PsCommandImpl.execute(PsCommandImpl.java:128)
>>>>  at
>>>>
>>>> org.apache.felix.shell.impl.Activator$ExecutePrivileged.run(Activator.java:365)
>>>>  at java.security.AccessController.doPrivileged(Native Method)
>>>>  at
>>>>
>>>> org.apache.felix.shell.impl.Activator$ShellServiceImpl.executeCommand(Activator.java:264)
>>>>  at
>>>>
>>>> org.apache.felix.shell.tui.Activator$ShellTuiRunnable.run(Activator.java:167)
>>>>  at java.lang.Thread.run(Thread.java:619)
>>>>
>>>>
>>>> Thanks and kind regards
>>>> Hasan
>>>>
>>>>
>>>>
>>>> Hasan wrote:
>>>>
>>>>         
>>>>> Dear Karl, dear Pierre,
>>>>>
>>>>> Thanks for the prompt reply.
>>>>> I will try Karl's suggestion.
>>>>>
>>>>> Best regards
>>>>> Hasan
>>>>>
>>>>> Karl Pauls wrote:
>>>>>
>>>>>           
>>>>>> Hello Hasan,
>>>>>>
>>>>>> the framework needs allpermission. That is what the OSGi specification
>>>>>> requires. It might be possible to limit it to specific permissions
but
>>>>>> it wouldn't be much left. Now, when the framework has allpermissions
>>>>>> that doesn't have to imply that bundles have allpermissions as well.
>>>>>> However, at the moment that is the case if you use the standard felix
>>>>>> only. What you would have to do is to use the PermissionAdmin service
>>>>>> or the ConditionalPermissionAdmin service to set the permissions
for a
>>>>>> bundle.
>>>>>>
>>>>>> Problem is, we don't have released versions of the two services.
We do
>>>>>> have some implementations in trunk but they are in an alpha state.
In
>>>>>> case you want to give it a try: build the framework.security
>>>>>> subproject (in trunk/framework.security) and install the resulting
>>>>>> artifact as a bundle into felix. That will make the two services
>>>>>> available. See the core spec for how to use them.
>>>>>>
>>>>>> regards,
>>>>>>
>>>>>> Karl
>>>>>>
>>>>>> On Mon, Nov 24, 2008 at 10:50 AM, Hasan <hasan@trialox.org>
wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Thanks Pierre,
>>>>>>>
>>>>>>> My intention is just to give as many permissions as necessary
to
>>>>>>> felix,
>>>>>>> but
>>>>>>> not all.
>>>>>>> Thus, I assume there must be a way to define permissions for
felix so
>>>>>>> that
>>>>>>> it can install
>>>>>>> a new bundle without throwing exceptions. Since, if I gave felix
all
>>>>>>> permissions there
>>>>>>> is no such exception thrown.
>>>>>>>
>>>>>>> Kind regards
>>>>>>> Hasan
>>>>>>>
>>>>>>> Pierre Parrend wrote:
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>>>> Dear Hassan,
>>>>>>>>
>>>>>>>> with the permissions, you have to define a specific URL Handler
for
>>>>>>>> the
>>>>>>>> http protocol. See the class org.apache.felix.framework.URLHandlers
>>>>>>>> (from my
>>>>>>>> memory, the name may be slighty different) for examples for
other
>>>>>>>> protocols.
>>>>>>>>
>>>>>>>> I have an implementation on another computer, you should
manage to
>>>>>>>> adapt
>>>>>>>> the code yourself, otherwise I can look for my old code.
>>>>>>>>
>>>>>>>> best regards,
>>>>>>>> Pierre
>>>>>>>>
>>>>>>>> Hasan wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>                 
>>>>>>>>> Dear Pierre, dear all
>>>>>>>>>
>>>>>>>>> Thanks for the file. I use and modify your file (see
below). With
>>>>>>>>> this
>>>>>>>>> policy file
>>>>>>>>> however, I cannot install a new bundle. It throwed
>>>>>>>>> java.net.MalformedURLException:
>>>>>>>>>
>>>>>>>>> Welcome to Felix.
>>>>>>>>> =================
>>>>>>>>>
>>>>>>>>> -> install
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
>>>>>>>>> java.net.MalformedURLException: Unknown protocol: http
>>>>>>>>>
>>>>>>>>> What must be added to the policy file so that it works?
Thanks in
>>>>>>>>> advance
>>>>>>>>> for answering.
>>>>>>>>>
>>>>>>>>> -- BEGIN of my additional policy file used when starting
felix-1.4.0
>>>>>>>>> --
>>>>>>>>> grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
>>>>>>>>>  permission java.util.PropertyPermission "*", "read,write";
>>>>>>>>>  permission java.io.FilePermission
>>>>>>>>> "${user.home}/sw/felix-1.4.0/conf/*",
>>>>>>>>> "read";
>>>>>>>>>  permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-",
>>>>>>>>> "read,write,delete";
>>>>>>>>>
>>>>>>>>> //    permission java.io.FilePermission "${user.home}/-",
>>>>>>>>> "read,write,delete";
>>>>>>>>>  permission java.io.FilePermission "bundle.lastmodified",
"read";
>>>>>>>>>  permission java.io.FilePermission "bundle/*", "read";
>>>>>>>>>
>>>>>>>>>  permission java.io.FilePermission "./felix-cache", "read,write";
>>>>>>>>>  permission java.io.FilePermission "./felix-cache/-",
>>>>>>>>> "read,write,delete";
>>>>>>>>>
>>>>>>>>>  permission java.net.NetPermission "specifyStreamHandler";
>>>>>>>>> //    permission java.net.SocketPermission "*", "resolve,
connect";
>>>>>>>>>  permission java.net.SocketPermission "*",
>>>>>>>>> "accept,connect,listen,resolve";
>>>>>>>>>
>>>>>>>>>  permission java.lang.RuntimePermission "createSecurityManager";
>>>>>>>>>  permission java.lang.RuntimePermission "getProtectionDomain";
>>>>>>>>>  permission java.lang.RuntimePermission "setFactory";
>>>>>>>>>  permission java.lang.RuntimePermission "createClassLoader";
>>>>>>>>>  permission java.lang.RuntimePermission
>>>>>>>>> "accessClassInPackage.sun.reflect";
>>>>>>>>>  permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>>>>>>>  permission java.lang.RuntimePermission "shutdownHooks";
>>>>>>>>>
>>>>>>>>>  permission java.lang.reflect.ReflectPermission
>>>>>>>>> "suppressAccessChecks";
>>>>>>>>>
>>>>>>>>>  permission org.osgi.framework.AdminPermission "*", "lifecycle";
>>>>>>>>>  permission org.osgi.framework.AdminPermission "*", "metadata";
>>>>>>>>>  permission org.osgi.framework.AdminPermission "*", "listener";
>>>>>>>>>  permission org.osgi.framework.AdminPermission "*", "execute";
>>>>>>>>>  permission org.osgi.framework.AdminPermission "*", "startlevel";
>>>>>>>>>  permission org.osgi.framework.AdminPermission "*",
>>>>>>>>> "extensionLifecycle";
>>>>>>>>>
>>>>>>>>>  permission org.osgi.framework.PackagePermission "*",
>>>>>>>>> "export,import";
>>>>>>>>>  permission org.osgi.framework.ServicePermission "*",
>>>>>>>>> "register,get";
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> -- END of my additional policy file used when starting
felix-1.4.0
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Kind regards
>>>>>>>>> Hasan
>>>>>>>>>
>>>>>>>>> Pierre Parrend wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                   
>>>>>>>>>>  Dear Hasan, dear all,
>>>>>>>>>>
>>>>>>>>>> here is a permission file which I used some times
ago. You need to
>>>>>>>>>> adapt
>>>>>>>>>> it
>>>>>>>>>> to your own configuration, and probably to update
it to match the
>>>>>>>>>> current
>>>>>>>>>> state of the Felix implementation:
>>>>>>>>>>
>>>>>>>>>> grant codeBase "file:$FELIX_HOME/-" {
>>>>>>>>>>
>>>>>>>>>>  permission java.util.PropertyPermission "*", "read,write";
>>>>>>>>>>  permission java.io.FilePermission "$FELIX_HOME/main/conf/*",
>>>>>>>>>> "read";
>>>>>>>>>>
>>>>>>>>>>  permission java.io.FilePermission "$USER_HOME/-",
>>>>>>>>>> "read,write,delete";
>>>>>>>>>>  permission java.io.FilePermission "bundle.lastmodified",
"read";
>>>>>>>>>>  permission java.io.FilePermission "bundle/*", "read";
>>>>>>>>>>
>>>>>>>>>>  permission java.net.NetPermission "specifyStreamHandler";
>>>>>>>>>>  permission java.net.SocketPermission "*", "resolve,
connect";
>>>>>>>>>>
>>>>>>>>>>  permission java.lang.RuntimePermission "createSecurityManager";
>>>>>>>>>>  permission java.lang.RuntimePermission "getProtectionDomain";
>>>>>>>>>>  permission java.lang.RuntimePermission "setFactory";
>>>>>>>>>>  permission java.lang.RuntimePermission "createClassLoader";
>>>>>>>>>>  permission java.lang.RuntimePermission
>>>>>>>>>> "accessClassInPackage.sun.reflect";
>>>>>>>>>>  permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>>>>>>>>  permission java.lang.RuntimePermission "shutdownHooks";
>>>>>>>>>>
>>>>>>>>>>  permission java.lang.reflect.ReflectPermission
>>>>>>>>>> "suppressAccessChecks";
>>>>>>>>>>
>>>>>>>>>>  permission org.osgi.framework.AdminPermission "*",
"lifecycle";
>>>>>>>>>>  permission org.osgi.framework.AdminPermission "*",
"metadata";
>>>>>>>>>>  permission org.osgi.framework.AdminPermission "*",
"listener";
>>>>>>>>>>  permission org.osgi.framework.AdminPermission "*",
"execute";
>>>>>>>>>>
>>>>>>>>>>  permission org.osgi.framework.PackagePermission
"*", "export";
>>>>>>>>>>  permission org.osgi.framework.ServicePermission
"*", "register,
>>>>>>>>>> get";
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> When reading the file, I wonder while the PackagePermission
is set
>>>>>>>>>> to
>>>>>>>>>> 'export' only, and do not include 'import'. If you
get errors you
>>>>>>>>>> should
>>>>>>>>>> add
>>>>>>>>>> it simply.
>>>>>>>>>>
>>>>>>>>>> best regards,
>>>>>>>>>> Pierre
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> ==============================================================
>>>>>>>>>> Pierre Parrend
>>>>>>>>>> Software Engineering (SE)
>>>>>>>>>> Tel: +49 721 9654 - 620
>>>>>>>>>> Fax: +49 721 9654 - 623
>>>>>>>>>> E-Mail: parrend@fzi.de
>>>>>>>>>>
>>>>>>>>>> ==============================================================
>>>>>>>>>>
>>>>>>>>>> FZI Forschungszentrum Informatik an der Universität
Karlsruhe
>>>>>>>>>> Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
>>>>>>>>>> Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959
>>>>>>>>>>
>>>>>>>>>> Stiftung des bürgerlichen Rechts
>>>>>>>>>> Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe
>>>>>>>>>>
>>>>>>>>>> Vorstand:
>>>>>>>>>> Prof. Dr.-Ing. Rüdiger Dillmann
>>>>>>>>>> Dipl. Wi.-Ing. Michael Flor
>>>>>>>>>> Prof. Dr. Dr.-Ing. Jivka Ovtcharova
>>>>>>>>>> Prof. Dr. rer. nat. Rudi Studer
>>>>>>>>>>
>>>>>>>>>> Vorsitzender des Kuratoriums:
>>>>>>>>>> Ministerialdirigent Günther Leßnerkraus
>>>>>>>>>>
>>>>>>>>>> ==============================================================
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Hasan [mailto:hasan@trialox.org]
>>>>>>>>>> Sent: Wed 11/19/2008 11:36 AM
>>>>>>>>>> To: users@felix.apache.org
>>>>>>>>>> Subject: Re: Please help in enabling security
>>>>>>>>>>  Hi again,
>>>>>>>>>>
>>>>>>>>>> If I put the following line in all.policy
>>>>>>>>>> grant { permission java.security.AllPermission; };
>>>>>>>>>>
>>>>>>>>>> then I can start felix successfully.
>>>>>>>>>> I hope this solve my problem starting felix with
security enabled.
>>>>>>>>>>
>>>>>>>>>> Note, that in the slide set "Building Secure OSGi
Applications"
>>>>>>>>>> the line reads as follows which I think is wrong:
>>>>>>>>>> grant { permission java.lang.AllPermission };
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Hasan
>>>>>>>>>>
>>>>>>>>>> Hasan wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>> Dear all
>>>>>>>>>>>
>>>>>>>>>>> We would like to use osgi security mechanism
(conditional
>>>>>>>>>>> permission
>>>>>>>>>>> admin) and thus
>>>>>>>>>>> are trying to enable security when invoking felix
(version 1.4.0)
>>>>>>>>>>> as
>>>>>>>>>>> follows
>>>>>>>>>>>
>>>>>>>>>>> $ java -Djava.security.manager -Djava.security.policy=all.policy
>>>>>>>>>>> -jar
>>>>>>>>>>> bin/felix.jar
>>>>>>>>>>>
>>>>>>>>>>> There were some AccessControlException which
we could fix by
>>>>>>>>>>> adapting
>>>>>>>>>>> java.policy file
>>>>>>>>>>> In the end however, we got a NullPointerException
as shown below.
>>>>>>>>>>>
>>>>>>>>>>> -- BEGIN OF FELIX ERROR MESSAGE --
>>>>>>>>>>> Welcome to Felix.
>>>>>>>>>>> =================
>>>>>>>>>>>
>>>>>>>>>>> ERROR: Unable to start system bundle.
>>>>>>>>>>> (java.lang.NullPointerException:
>>>>>>>>>>> Specified service reference cannot be null.)
>>>>>>>>>>> java.lang.NullPointerException: Specified service
reference cannot
>>>>>>>>>>> be
>>>>>>>>>>> null.
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja
>>>>>>>>>> va:320)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java
>>>>>>>>>> :77)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at
>>>>>>>>>>> org.apache.felix.main.AutoActivator.start(AutoActivator.java:55)
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
>>>>>>>>>> 071)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at java.security.AccessController.doPrivileged(Native
Method)
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
>>>>>>>>>> a:580)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761
>>>>>>>>>> )
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
>>>>>>>>>> 071)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at java.security.AccessController.doPrivileged(Native
Method)
>>>>>>>>>>>  at
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
>>>>>>>>>> a:580)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                     
>>>>>>>>>>>  at org.apache.felix.framework.Felix.init(Felix.java:849)
>>>>>>>>>>>  at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>>>>>>>>  at org.apache.felix.main.Main.main(Main.java:213)
>>>>>>>>>>> Could not create framework: java.lang.RuntimeException:
Unable to
>>>>>>>>>>> start
>>>>>>>>>>> system bundle.
>>>>>>>>>>> java.lang.RuntimeException: Unable to start system
bundle.
>>>>>>>>>>>  at org.apache.felix.framework.Felix.init(Felix.java:857)
>>>>>>>>>>>  at org.apache.felix.framework.Felix.start(Felix.java:881)
>>>>>>>>>>>  at org.apache.felix.main.Main.main(Main.java:213)
>>>>>>>>>>>
>>>>>>>>>>> -- END OF FELIX ERROR MESSAGE --
>>>>>>>>>>>
>>>>>>>>>>> Any help and tips to enable security and solve
this problem is
>>>>>>>>>>> highly
>>>>>>>>>>> appreciated.
>>>>>>>>>>>
>>>>>>>>>>> Kind regards
>>>>>>>>>>> Hasan
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>                       
>>>>>>>>>>                     
>>>>>>> --
>>>>>>> --trialox ag--------------------------------------
>>>>>>>
>>>>>>>  Hasan Hasan
>>>>>>>  Binzmühlestrasse 14
>>>>>>>  CH-8050 Zürich
>>>>>>>  Tel: 0041-44-63 57577
>>>>>>>  Fax: 0041-44-63 57574
>>>>>>>  URL: http://www.trialox.ch
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>>>>>>> For additional commands, e-mail: users-help@felix.apache.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>>
>>>>>>             
>>>> --
>>>> --trialox ag--------------------------------------
>>>>
>>>>  Hasan Hasan
>>>>  Binzmühlestrasse 14
>>>>  CH-8050 Zürich
>>>>  Tel: 0041-44-63 57577
>>>>  Fax: 0041-44-63 57574
>>>>  URL: http://www.trialox.ch
>>>>
>>>>
>>>>
>>>>         
>>>
>>>
>>>       
>> --
>> --trialox ag--------------------------------------
>>
>>  Hasan Hasan
>>  Binzmühlestrasse 14
>>  CH-8050 Zürich
>>  Tel: 0041-44-63 57577
>>  Fax: 0041-44-63 57574
>>  URL: http://www.trialox.ch
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>> For additional commands, e-mail: users-help@felix.apache.org
>>
>>
>>     
>
>
>
>   

-- 
--trialox ag--------------------------------------

  Hasan Hasan
  Binzmühlestrasse 14
  CH-8050 Zürich
  Tel: 0041-44-63 57577
  Fax: 0041-44-63 57574
  URL: http://www.trialox.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message