geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan <xhh...@gmail.com>
Subject Re: OSGi Bundle Permissions on Geronimo
Date Mon, 03 Sep 2012 06:12:32 GMT
I am not sure whether OSGi security could help on this.  But with the
Bundle Hook Service API introduced in v4.3, it is possible to limit/filter
the result of those methods, like getBundles(), and etc.

There are also other new APIs, which could be used to filter the services
and other things. You may refer to the OSGi v4.3 core spec.

2012/8/30 JAEBOO JUNG <itsjb.jung@samsung.com>

> I am about to make a enterprise cloud OSGi web-service by using Apache
> Geronimo V3.0.****
>
> The final goal is to make custom BundleManager(maybe it is a bundle too)
> that can do simple bundle action like install/uninstall/start/stop the
> other bundles from any users.****
>
> Each bundle is WAB(web application bundle) and will be added in some
> Application Bundle.****
>
> But I encounter some critical problems which can cause security issues.***
> *
>
> ** **
>
> 1. Although only BundleManager I want to make can manage the bundle's
> lifecycle by using BundleContext , but any bundles made by some users can
> use BundleContext in Activator or any  servlet in their bundles. So, for
> example, Bundle A(from user1) can get Bundle B(from user2) from
> BundleContext and Bundle A can stop or uninstall Bundle B with no
> permission though Bundle A is not BundleManager..****
>
> ** **
>
> 2. I used to run java security manager and manipulate its(Bundle A)
> permission. but it didn't properly work. Besides I can access Geronimo Web
> Admin console with no login process . I think that allpermission in the
> policy file cause this situation.****
>
> ** **
>
> How can I achieve my goal. I heard that Composite bundle can isolate
> bundles, but Geronimo didn't support Composite Bundle(CBA). I really wait
> and appreciate all ideas. Thanks for all your help in advance :)****
>



-- 
Ivan

Mime
View raw message