> From: pavithra shankar <[email protected]> > The framework should first be started with AllPermissions.
Well the framework jars must be granted all permission by the policy. This is usually don't via a policy file. The framework will then grant permissions to bundles via the data set in PermissionAdmin/ConditionalPermissionAdmin. > Then the > custom bundle which is to set up the policies is to be given > AllPermission by the framework and started first so that the > policies are set up before other bundles are installed and started. By default, we a new framework instance is started, as a bootstrapping thing, all bundles are granted AllPermission (the frameworks permissions database is empty). So among the first bundles to be installed is the bundle which manages the permission database as sets the proper defaults and bundle permissions for the bundles to be later installed. > > There are still some questions on my mind, > 1. How do i deny permissions? > All the permissions i am able to set have access "allow". Did you see http://www.osgi.org/javadoc/r4v42/org/osgi/service/condpermadmin/ConditionalPermissionInfo.html#DENY in R4.2? > 2. How do i give permissions limited to specific bundles coming from > a specific location? You can use the BundleLocationPermission. Note that this matches against Bundle.getLocation. The bundle location is the string assigned to the bundle when it is installed (BundleContext.installBundle). > For eg, if i want to allow only bundles which come from a > specific folder "test", to be able to make changes(additions) to the > conditions & permissions i have set, how should i do it? i > tried to do this using the following snippet: > > > ConditionInfo condInfo1= new ConditionInfo > (BUNDLE_LOCATION_CONDITION, new String[] {"*test*"}); > PermissionInfo permInfo1=new PermissionInfo > ("org.osgi.framework.PackagePermission", > "org.osgi.service.condpermadmin", "import"); > cpaService.setConditionalPermissionInfo("CPAServicePerm", new > ConditionInfo[] {condInfo1}, new PermissionInfo[] {permInfo1}); setConditionalPermissionInfo was deprecated in R4.2. See newConditionalPermissionInfo. > > and i found that other bundles are still able to add conditional permissions. > > 3. At what stage does the framework come into picture? > If i were trying to install a bundle fetched over the network ( > bundle location url containing http:// for example), the jar is to > be fetched and then installed. At what point does the framework > check for the applicable permissions for this location/signer? At the time permissions are granted to the bundle. When a class is loaded by the framework, it is assigned a ProtectionDomain. The permission collection in this protection domain is dynamically populated based upon the information in the framework's permission database. > Before fetching it to the local machine or before installing? Is > there a demarcation between fetching and installing? please forgive > my ignorance. -- BJ Hargrave Senior Technical Staff Member, IBM OSGi Fellow and CTO of the OSGi Alliance [email protected] office: +1 386 848 1781 mobile: +1 386 848 3788
_______________________________________________ OSGi Developer Mail List [email protected] https://mail.osgi.org/mailman/listinfo/osgi-dev
