What I mean is that the URLClassloader does the check each time a resource is loaded using the JarFile, and I think Felix should somehow do the same in order to be secured.
On Thu, Mar 22, 2012 at 16:17, Guillaume Nodet <[email protected]> wrote: > THat's my point, it only happen at install time, which means it's not > really secured. I think it has to be done each time a class or resource is > loaded else, anyone can change the jar file in the cache folder after it > has been installed and no verification is done. > I think that's not really good, as the purpose of the security bits it to > be ... secured, and if people are willing to pay the cost of the security > manager, it has to be 100% secured imho. > > > On Thu, Mar 22, 2012 at 13:50, Karl Pauls <[email protected]> wrote: > >> The verfication is done in the security provider (only happens if >> installed). >> >> regards, >> >> Karl >> >> On Thu, Mar 22, 2012 at 1:24 PM, Guillaume Nodet <[email protected]> >> wrote: >> > I'm trying to understand how Felix verify the classes signatures but I >> > don't see anything around that. >> > It seems to me that in a non OSGi environment, the classes will be >> verified >> > by the class loader when loaded from a jar mainly because the >> > java.util.jar.JarFile does the signature verification when loading an >> entry >> > (i.e. a class) from the jar file. However, Felix does not use the >> JarFile >> > class and uses a custom ZipFile instead. >> > So it looks like the whole signed jars mechanism does not really work. >> > Am I right, or do I miss something here ? >> > >> > -- >> > ------------------------ >> > Guillaume Nodet >> > ------------------------ >> > Blog: http://gnodet.blogspot.com/ >> > ------------------------ >> > FuseSource, Integration everywhere >> > http://fusesource.com >> >> >> >> -- >> Karl Pauls >> [email protected] >> http://twitter.com/karlpauls >> http://www.linkedin.com/in/karlpauls >> https://profiles.google.com/karlpauls >> > > > > -- > ------------------------ > Guillaume Nodet > ------------------------ > Blog: http://gnodet.blogspot.com/ > ------------------------ > FuseSource, Integration everywhere > http://fusesource.com > -- ------------------------ Guillaume Nodet ------------------------ Blog: http://gnodet.blogspot.com/ ------------------------ FuseSource, Integration everywhere http://fusesource.com
