Hi David,
I will try to answer some of your questions concerning the handling of
Permissions in Equinox.
First of all, activate security with the following properties:
-Declipse.security=org.eclipse.osgi.framework.internal.core.FrameworkSec
urityManager
-Djava.security.policy==../path/to/security/policy/FrameworkSecurity.pol
icy
And use this property for debugging the security problems:
-Djava.security.debug=access:failure
The FrameworkSecurity.policy should contain java.security.AllPermission,
so that the Framework is free
to operate. There may be a possibilty to constrict the
Framework-Permissions to a smaller set, but it's
very difficult to start with.
Afterwards, activate the ConditionalPermissionAdmin with code looking
like this:
ServiceReference cpaService =
context.getServiceReference(ConditionalPermissionAdmin.class.getName());
if (cpaService != null)
{
ConditionalPermissionAdmin cpa =
(ConditionalPermissionAdmin) context.getService(cpaService);
ConditionInfo ci = new
ConditionInfo("[org.osgi.service.condpermadmin.BundleLocationCondition
"*"]");
PermissionInfo pi = new PermissionInfo("(
java.util.PropertyPermission \"*com.test.onetwothree.*\" \"read,write\"
)");
cpa.setConditionalPermissionInfo(oid, new ConditionInfo[] {
ci }, new PermissionInfo[] { pi } );
}
With this piece of code, all Bundles with Symbolic-Name
"com.test.onetwothree.*" have just one permission: read and write all
properties.
These permissions have to be configured in your java code. Currently
there is no official way to configure these permissions by file. An
example on how to do this anyway can be found in the OSGi Spec Version
4.1 April 2007 on page 237.
Last but not least, a permissions.perm file can (but must not) be
created in the subdir OSGI-INF in each bundle. In this permissions.perm
file
the bundle developer can outline all permissions, that his bundle needs
to operate. The framework guarantees, that this bundle never gets more
permissions, than defined in the permissions.perm, also more global
permissions are available for this bundle. So, the actual permissions
for a bundle is the intersection of the global permissions and the
permissions in the permissions.perm file. If no permissions.perm file is
defined,
the bundle gets AllPermission (to be said: all global permissions
defined plus all permissions defined for this bundle via condition.)
Having all these things configured, the Security-Framework of equinox
should work.
Good luck.
Florian
________________________________
From: [email protected]
[mailto:[email protected]] On Behalf Of David Conde
Sent: Friday, May 08, 2009 2:30 PM
To: 'Equinox development mailing list'
Subject: [equinox-dev] Security Doubts
Hi everyone,
These previous days I have been trying and reading a lot about securiy
in OSGI. I tried Local Permissions in Equinox and they were ok, and I
either tried with some examples using Conditional Permissions and I did
not got any result at all.
I have tried with this example :
http://dz.prosyst.com/pdoc/mbs_ext_6.1/um/meg/developer/osgi/mobile_cond
itions/mobile_conditions.html
Changing it to include both BundleLocationCondition and
BundleSignerCondition but no result at all. I would like to know if
somebody has done some example with Conditional Permission in Equinox
and he got any result. Could people who got the expected results with
Conditional Permission tell me this scenario where Conditional
Permission Works?Either if I need some special permissions or some
special way of launching Equinox Framework by console using special
options.
I have tried with several versions of Equinox, 3.3, 3.4, 3.5. In
Equinox 3.5 when I launch with Security options, typing security.manager
parameter equal to "osgi", I do not get anything, I do not get neither
Exception nor anything, just it is like no command was launched.
With Equinox 3.4 I achieved to run Local Permissions, but when I tried
with Equinox 3.5 in order to check Conditional Permissions but I
haven't get any result. It is like nothing is taking into account what I
write in PermissionManager (see the link written above). What do I need
in my PermissionManager Bundle to grant permissions? I put ALLPermission
in this bundle, but Do I need any permission else?
The last question, why Don't Equinox verify my bundles signature when I
install them handly by console using install command? I use a keystore
different on the keystore which signed the bundles and I do not get any
Exception.
It is strange because whatever keystorename that I write in
-Dosgi.framework.keystore=cakeystore.keystore is valid, even If I put a
keystore_name invented which does not exit, I do not get any Exception
and "OSGI>" environment appears.
So I am sorry for so many questions but I think that I can't continue
without some piece of advice.
Thank you very much in advance
David
--
WINCOR NIXDORF International GmbH
Sitz der Gesellschaft: Paderborn
Registergericht Paderborn HRB 3507
Geschäftsführer: Eckard Heidloff (Vorsitzender), Stefan Auerbach, Dr. Jürgen
Wunram
Vorsitzender des Aufsichtsrats: Karl-Heinz Stiller
Steuernummer: 339/5884/0020 - Ust-ID Nr.: DE812927716 - WEEE-Reg.-Nr. DE44477193
Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
This e-mail may contain confidential information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorised copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
equinox-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/equinox-dev
