[jira] [Commented] (FELIX-5148) Framework Security unusable

Wed, 19 Oct 2016 06:14:21 -0700 

    [ 
https://issues.apache.org/jira/browse/FELIX-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15588736#comment-15588736
 ] 

Paolo Antinori commented on FELIX-5148:
---------------------------------------

Hi, I'm trying to start Karaf according to its security instructions:

1) set couple of sysprop:` -Djava.security.policy="all.policy" 
-Dorg.osgi.framework.security="osgi"`
2) enable felix security fragment at boot at a very early stage: 
`org/apache/felix/org.apache.felix.framework.security/2.4.0/org.apache.felix.framework.security-2.4.0.jar=1`

Just start it see those exception popping out.

Instructions are the same since long time, and old 2.3 version of Karaf used to 
work.

I'm trying to understand where the problem lies, so looking into the instances 
at runtime to guess what could be the issue here.
  

> Framework Security unusable
> ---------------------------
>
>                 Key: FELIX-5148
>                 URL: https://issues.apache.org/jira/browse/FELIX-5148
>             Project: Felix
>          Issue Type: Bug
>          Components: Configuration Admin, Framework Security
>    Affects Versions: framework.security-2.4.0, configadmin-1.8.0
>            Reporter: Oliver Lietz
>            Assignee: Karl Pauls
>         Attachments: FELIX-5148.site.patch, 
> FELIX-5148.sling-launchpad-builder.patch
>
>
> While fixing an issue with Sling and RMI (SLING-5375) reported by an user I 
> came across an issue (KARAF-3400) reported by [~achim_nierbeck] for Karaf 
> related to framework security.
> There is also an issue with [Sling's own OSGi launcher 
> Launchpad|https://svn.apache.org/viewvc/sling/trunk/launchpad/builder/] and 
> framework security when using {{org.apache.felix.configadmin}} >= {{1.8.0}}.
> {{all.policy}}:
> {noformat}
> grant {
>    permission java.security.AllPermission;
> };
> {noformat}
> Adding {{org.apache.felix/org.apache.felix.framework.security/2.4.0}} to 
> {{boot.txt}} and starting with arguments described on [Framework Security's 
> page|http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html]
>  (which looks broken) and 
> [{{-Djava.security.manager}}|http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc6.html]
>  ([Building Secure OSGi 
> Applications|http://de.slideshare.net/marrs/building-secure-osgi-applications])
>  throws a {{java.security.AccessControlException}}:
> {noformat}
> java -Djava.security.manager -Djava.security.policy="all.policy" 
> -Dorg.osgi.framework.security="osgi" -jar 
> org.apache.sling.launchpad-9-SNAPSHOT.jar
> {noformat}
> {noformat}
> [...]
> [...] *ERROR* [FelixStartLevel] ERROR: Error starting 
> slinginstall:org.apache.felix.configadmin-1.8.0.jar 
> (java.security.AccessControlException: access denied 
> ("java.io.FilePermission" "/[...]/sling/config" "read"))
> java.security.AccessControlException: access denied ("java.io.FilePermission" 
> "/[...]/sling/config" "read")
>       at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>       at 
> java.security.AccessController.checkPermission(AccessController.java:884)
>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
>       at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>       at java.io.File.isDirectory(File.java:844)
>       at 
> org.apache.felix.cm.file.FilePersistenceManager.<init>(FilePersistenceManager.java:342)
>       at 
> org.apache.felix.cm.impl.ConfigurationManager.start(ConfigurationManager.java:244)
>       at 
> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1709)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at 
> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:688)
>       at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
>       at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
>       at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
>       at 
> org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
>       at java.lang.Thread.run(Thread.java:745)
> [...]
> {noformat}
> I had to remove OSGi Subsystems support from {{boot.txt}} when using 
> {{org.apache.felix.configadmin}} {{1.6}}:
> {noformat}
>     org.apache.felix/org.apache.felix.coordinator/1.0.0
>     org.eclipse.equinox/org.eclipse.equinox.region/1.2.101.v20150831-1342
>     org.apache.aries.subsystem/org.apache.aries.subsystem.api/2.0.6
>     org.apache.aries.subsystem/org.apache.aries.subsystem.core/2.0.6
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to