Re: Specification version of OSGI implemented in felix main 7.0.3
It is R8. Need to update the docs for the main. Sorry for the confusion. regards, Karl On Mon, Feb 7, 2022 at 5:36 PM Tom Jenkinson wrote: > > Hi, > > Please can I ask someone to clarify what version of OSGi specification is > implemented by felix.main 7.0.3? > > I can see in > https://github.com/apache/felix-dev/blob/org.apache.felix.main-7.0.3/main/pom.xml#L84 > that it seems to be R6 > > But the > https://github.com/apache/felix-dev/blob/org.apache.felix.main-7.0.3/framework/pom.xml#L108 > seems to be R8 > > https://github.com/apache/felix-dev/blob/org.apache.felix.main-7.0.3/README.md?plain=1#L7 > talks about R7. > > https://felix.apache.org/documentation/subprojects.html talks about R8. > > Many thanks for any insight that can be shared, > Tom -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Trouble creating a conditional AdminPermission with Felix 7.0.3 and OSGi Secutiry 2.8.3
Thanks, that helps. I think you are running in a special case - namely, a bundle has certain admin permissions on itself. CONTEXT is one of them: http://docs.osgi.org/specification/osgi.core/8.0.0/framework.security.html#framework.security.impliedpermissions If I change your example to be getting the bundle context of another bundle (e.g., the system bundle) like this: --- a/caged-impl/src/main/kotlin/com/example/caged/impl/CagedActionImpl.kt +++ b/caged-impl/src/main/kotlin/com/example/caged/impl/CagedActionImpl.kt @@ -42,7 +42,7 @@ class CagedActionImpl : CagedAction { // This should be denied too, but isn't. logger.info("- Requesting BundleContext") -bundle.bundleContext +bundle.bundleContext.getBundle(0).bundleContext logger.info("Completed successfully") } it works as expected. Futhermore, your other, manual, test with creating the admin permission makes a mistake - you can't have it be an admin permission with a filter. It would need to be one created for a specific bundle e.g.: --- a/caged-impl/src/main/kotlin/com/example/caged/impl/CagedActionImpl.kt +++ b/caged-impl/src/main/kotlin/com/example/caged/impl/CagedActionImpl.kt @@ -31,7 +31,7 @@ class CagedActionImpl : CagedAction { System.getSecurityManager()?.also { sm -> // I expect this AdminPermission to be denied, but it isn't. -val admin = AdminPermission("(location=${bundle.location})", CONTEXT) +val admin = AdminPermission(bundle.bundleContext.getBundle(0), CONTEXT) works as expected too. As of debugging - I sometimes find it useful to run with "-Djava.security.debug=all" which will log all permission checks (among other things). Obviously, that is a lot (includes all of the jvm as it is not OSGi specific) but e.g. for the modified test above I get this in the output: access: access denied ("org.osgi.framework.AdminPermission" "(id=0)" "context") java.lang.Exception: Stack trace at java.base/java.lang.Thread.dumpStack(Thread.java:1388) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:462) at java.base/java.security.AccessController.checkPermission(AccessController.java:897) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at com.example.caged.impl.CagedActionImpl.execute(CagedActionImpl.kt:40) at com.example.caged.testing.AdminPermissionTest.testPermissions(AdminPermissionTest.kt:112) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) access: domain that failed [com.example.caged.impl [20](R 20.0)] regards, Karl On Thu, Feb 3, 2022 at 12:35 PM Chris Rankin wrote: > > Hi, > > I have managed to reproduce the issue in this GitHub repository: > https://github.com/chrisr3/osgi-security.git > > I am hoping this is just a misunderstanding somewhere on my part. > > Cheers, > Chris > > On Wed, 2 Feb 2022 at 17:40, Karl Pauls wrote: > > > > Sounds strange, do you have something you can share that reproduces the > > problem? > > > > regards, > > > > Karl > > > > On Wed, Feb 2, 2022 at 3:56 PM Chris Rankin wrote: > > > > > > Hi, > > > > > > I am starting to suspect that the "CondtionInfo" aspect is actually > > > working correctly, and that the actual problem is with AdminPermission > > > itself. > > > > > > I have added this line to both a bundle whose location matches > > > "CAGE/*" and one whose location doesn't: > > > > > > System.getSecurityManager().checkPermission(new AdminPermission("*", > > > AdminPermission.CONTEXT)); > > > > > > This check correctly does/does not trigger an AccessControlException, > > > according to who invokes it. > > > > > > However, checking AdminPermission(bundle, AdminPermission.CONTEXT) > > > doesn't trigger an exception in either case. > > > > > > Have I completely misunderstood how the AdminPermission's "name" > > > property works? I can't see how everyone has not noticed a bug in > > > something this crucial?! > > > > > > Cheers, > > > Chris > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.
Re: Trouble creating a conditional AdminPermission with Felix 7.0.3 and OSGi Secutiry 2.8.3
Sounds strange, do you have something you can share that reproduces the problem? regards, Karl On Wed, Feb 2, 2022 at 3:56 PM Chris Rankin wrote: > > Hi, > > I am starting to suspect that the "CondtionInfo" aspect is actually > working correctly, and that the actual problem is with AdminPermission > itself. > > I have added this line to both a bundle whose location matches > "CAGE/*" and one whose location doesn't: > > System.getSecurityManager().checkPermission(new AdminPermission("*", > AdminPermission.CONTEXT)); > > This check correctly does/does not trigger an AccessControlException, > according to who invokes it. > > However, checking AdminPermission(bundle, AdminPermission.CONTEXT) > doesn't trigger an exception in either case. > > Have I completely misunderstood how the AdminPermission's "name" > property works? I can't see how everyone has not noticed a bug in > something this crucial?! > > Cheers, > Chris > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Felix on jdk11
right, as I said, you need to put the felix jar on the classpath - then it should work. regards, Karl On Monday, February 18, 2019, Chuck Davis wrote: > I start my main class with the following bash script: > > java --module-path > /sata2/modules:/sata2/modules/felix:/sata2/Downloads/javafx/ > javafx-sdk-11.0.1/lib > --add-modules=ALL-MODULE-PATH com.yakridge.jfxfelix.JFXMain > If I comment out all the Felix stuff the program runs fine. My main class > is on the classpath. The felix bundles are in /sata2/modules directory. > > > On Mon, Feb 18, 2019 at 8:00 AM Karl Pauls wrote: > > > How do you start this main class (and/or, are you embedding felix in a > > module)? > > > > You need to be on the classpath and not on the module path to work. > > > > regards, > > > > Karl > > > > > -- Karl Pauls karlpa...@gmail.com
Re: Felix on jdk11
How do you start this main class (and/or, are you embedding felix in a module)? You need to be on the classpath and not on the module path to work. regards, Karl On Mon, Feb 18, 2019 at 4:58 PM Chuck Davis wrote: > > I'm running openSUSE tumbleweed with OpenJDK11.0.2. > > My main class loads the framework with this code: (which worked on jdk8) > > ServiceLoader factoryLoader = > ServiceLoader.load(FrameworkFactory.class); > Iterator it = factoryLoader.iterator(); > frameworkFactory = it.next(); > framework = frameworkFactory.newFramework(null); > > > if (framework == null) { > System.out.println("The framework is null"); > } else { > System.out.println("The framework class is: " + > framework.getClass().getName()); > } > > > > try { > framework.start(); > context = framework.getBundleContext(); > } catch (BundleException ex) { > //Logger.getLogger(JFXMain.class.getName()).log(Level.SEVERE, > null, ex); > } > > On Mon, Feb 18, 2019 at 7:12 AM Karl Pauls wrote: > > > Hm, that would be new - are you sure that happens on java11 and how > > did you start-up the framework? > > > > regards, > > > > Karl > > > > On Mon, Feb 18, 2019 at 4:08 PM Chuck Davis wrote: > > > > > > Hi Karl: > > > > > > This seems to be the root cause of the other exceptions I'm dealing with. > > > Obviously, there is no longer a java.net to open. I don't know if the > > > highlighting will transmit but the problems is: "Caused by:.. > > > > > > Caused by: java.lang.RuntimeException: Unable to make protected boolean > > > java.net.URLStreamHandler.equals(java.net.URL,java.net.URL) accessible: > > > module java.base does not "opens java.net" to module > > > org.apache.felix.framework > > > at org.apache.felix.framework@6.0.2 > > > > > /org.apache.felix.framework.URLHandlersStreamHandlerProxy.(URLHandlersStreamHandlerProxy.java:104) > > > ... 15 more > > > Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make > > > protected boolean > > > java.net.URLStreamHandler.equals(java.net.URL,java.net.URL) accessible: > > > module java.base does not "opens java.net" to module > > > org.apache.felix.framework > > > at > > > > > java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:340) > > > at > > > > > java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:280) > > > at > > > java.base/java.lang.reflect.Method.checkCanSetAccessible(Method.java:198) > > > at > > java.base/java.lang.reflect.Method.setAccessible(Method.java:192) > > > at org.apache.felix.framework@6.0.2 > > > > > /org.apache.felix.framework.util.SecureAction.setAccesssible(SecureAction.java:871) > > > at org.apache.felix.framework@6.0.2 > > > > > /org.apache.felix.framework.URLHandlersStreamHandlerProxy.(URLHandlersStreamHandlerProxy.java:79) > > > ... 15 more > > > > > > > > > On Mon, Feb 18, 2019 at 4:53 AM Karl Pauls wrote: > > > > > > > The framework itself should work ootb on java11 just fine. Likewise, I > > > > think the default distribution should work on java11 too (i.e., the > > > > shell). > > > > > > > > Not sure about other bundles - feel free to follow-up with your set-up > > > > and the exceptions you see. > > > > > > > > regards, > > > > > > > > Karl > > > > > > > > On Mon, Feb 18, 2019 at 1:43 PM Chuck Davis > > wrote: > > > > > > > > > > Thanks for responding, Rob. I'm very new to OSGi and that sounds > > like a > > > > > LOT of tinkering to me (overwhelming in fact at this point !!). > > > > > > > > > > But the more I study it the more it makes sense to me and the > > exceptions > > > > > I'm seeing. > > > > > > > > > > Thanks for your response. > > > > > > > > > > On Sun, Feb 17, 2019 at 8:44 PM Rob Walker wrote: > > > > > > > > > > > We have worked our Felix based app so that it runs on JDK11 - took > > a > > > > bit > > > > > > o
Re: Felix on jdk11
Are you maybe trying to add the framework as an automatic module? That wouldn't work, it needs to be on the classpath (i.e., in the unnamed module)... regards, Karl On Mon, Feb 18, 2019 at 4:11 PM Karl Pauls wrote: > > Hm, that would be new - are you sure that happens on java11 and how > did you start-up the framework? > > regards, > > Karl > > On Mon, Feb 18, 2019 at 4:08 PM Chuck Davis wrote: > > > > Hi Karl: > > > > This seems to be the root cause of the other exceptions I'm dealing with. > > Obviously, there is no longer a java.net to open. I don't know if the > > highlighting will transmit but the problems is: "Caused by:.. > > > > Caused by: java.lang.RuntimeException: Unable to make protected boolean > > java.net.URLStreamHandler.equals(java.net.URL,java.net.URL) accessible: > > module java.base does not "opens java.net" to module > > org.apache.felix.framework > > at org.apache.felix.framework@6.0.2 > > /org.apache.felix.framework.URLHandlersStreamHandlerProxy.(URLHandlersStreamHandlerProxy.java:104) > > ... 15 more > > Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make > > protected boolean > > java.net.URLStreamHandler.equals(java.net.URL,java.net.URL) accessible: > > module java.base does not "opens java.net" to module > > org.apache.felix.framework > > at > > java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:340) > > at > > java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:280) > > at > > java.base/java.lang.reflect.Method.checkCanSetAccessible(Method.java:198) > > at java.base/java.lang.reflect.Method.setAccessible(Method.java:192) > > at org.apache.felix.framework@6.0.2 > > /org.apache.felix.framework.util.SecureAction.setAccesssible(SecureAction.java:871) > > at org.apache.felix.framework@6.0.2 > > /org.apache.felix.framework.URLHandlersStreamHandlerProxy.(URLHandlersStreamHandlerProxy.java:79) > > ... 15 more > > > > > > On Mon, Feb 18, 2019 at 4:53 AM Karl Pauls wrote: > > > > > The framework itself should work ootb on java11 just fine. Likewise, I > > > think the default distribution should work on java11 too (i.e., the > > > shell). > > > > > > Not sure about other bundles - feel free to follow-up with your set-up > > > and the exceptions you see. > > > > > > regards, > > > > > > Karl > > > > > > On Mon, Feb 18, 2019 at 1:43 PM Chuck Davis wrote: > > > > > > > > Thanks for responding, Rob. I'm very new to OSGi and that sounds like a > > > > LOT of tinkering to me (overwhelming in fact at this point !!). > > > > > > > > But the more I study it the more it makes sense to me and the exceptions > > > > I'm seeing. > > > > > > > > Thanks for your response. > > > > > > > > On Sun, Feb 17, 2019 at 8:44 PM Rob Walker wrote: > > > > > > > > > We have worked our Felix based app so that it runs on JDK11 - took a > > > bit > > > > > of tinkering, but there wasn't anything in core code we had to change. > > > > > > > > > > > > > > > > > > > > We did need to load the following bundles separately to replace > > > > > missing > > > > > classes: > > > > > > > > > > > > > > > > > > > > jre-1.8_extra_bundles= > > > > > > > > > > jre-9_extra_bundles=${j9_replacement_packages} > > > > > > > > > > jre-10_extra_bundles=${j9_replacement_packages} > > > > > > > > > > jre-11_extra_bundles=${j9_replacement_packages} > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Karl Pauls > > > karlpa...@gmail.com > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > > > For additional commands, e-mail: users-h...@felix.apache.org > > > > > > > > > > -- > Karl Pauls > karlpa...@gmail.com -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Felix on jdk11
The framework itself should work ootb on java11 just fine. Likewise, I think the default distribution should work on java11 too (i.e., the shell). Not sure about other bundles - feel free to follow-up with your set-up and the exceptions you see. regards, Karl On Mon, Feb 18, 2019 at 1:43 PM Chuck Davis wrote: > > Thanks for responding, Rob. I'm very new to OSGi and that sounds like a > LOT of tinkering to me (overwhelming in fact at this point !!). > > But the more I study it the more it makes sense to me and the exceptions > I'm seeing. > > Thanks for your response. > > On Sun, Feb 17, 2019 at 8:44 PM Rob Walker wrote: > > > We have worked our Felix based app so that it runs on JDK11 - took a bit > > of tinkering, but there wasn't anything in core code we had to change. > > > > > > > > We did need to load the following bundles separately to replace missing > > classes: > > > > > > > > jre-1.8_extra_bundles= > > > > jre-9_extra_bundles=${j9_replacement_packages} > > > > jre-10_extra_bundles=${j9_replacement_packages} > > > > jre-11_extra_bundles=${j9_replacement_packages} > > > > > > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Problems using the servlet bridge
It should be set by the listener: http://svn.apache.org/repos/asf/felix/trunk/http/samples/bridge/src/main/java/org/apache/felix/http/samples/bridge/StartupListener.java (which creates the FramworkService that in turn sets the context property). Did you maybe not keep the provided web.xml? regards, Karl On Thu, Dec 20, 2018 at 2:28 PM Bernd Foersterling wrote: > > Hi all, > I'm currently working on a servlet running an embedded framework using the > servlet bridge. > OSGi is fairly new for me, I recently finished reading my first book > regarding OSGi. > But let's see what my problem is. > I started by just building the example servlet bridge from the felix-docs > (http://svn.apache.org/repos/asf/felix/trunk/http/samples/bridge/) after > updating the dependencies to the most recent versions and adding some extra > bundles to run my plugin. > After building the war-file and deploying it to a Tomcat application server > v8.0 the frameworks seems to start correctly, so no missing dependencies e.g. > But if I try to access my servlet (that just prints "Hello World" to the > browser) I just receive the following exception: > > 20-Dec-2018 14:04:52.116 SEVERE [http-nio-8080-exec-6] > org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for > servlet [proxy] in context with path [/CoreRunner] threw exception [Bundle > context attribute [org.osgi.framework.BundleContext] not set in servlet > context] with root cause > javax.servlet.ServletException: Bundle context attribute > [org.osgi.framework.BundleContext] not set in servlet context > > I inspected the corresponding source code a little bit. When the exception is > thrown the proxy servlet tries to get the bundle context object from the > servlet context attributes, but it does not seem to be there (obviously). > That irritates me a little bit, as the bundle context is set in the first > line of the start method in the provision activator. > > When I try to run my servlet in a standalone framework everything works fine. > So the problem is definitely not my servlet, but the bridge. > > Was there a recent change made to the bridge, that made the example stopped > working? > Any other thoughts? > > Kind regards > Bernd -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Bundle inspection command for gogo
On Tue, Nov 13, 2018 at 1:56 PM Todor Boev wrote: > > Yes I know of this output. > As I said it is nearly useless compared to the equinox "bundle Id" and > "services filter" methods. > What I really want is to dump all bundle wires, all exported services, all > bound services. > In a nice list. > So I guess someone has to implement Neil's suggestion. Patches are welcome :-) regards, Karl > On Tue, Nov 13, 2018 at 12:44 PM Derek Baum wrote: > > > There is an inspect(Object) method in > > org.apache.felix.gogo.runtime.CommandSessionImpl, which is used when no > > more specific formatter is found. > > > > It uses reflection to invoke all public no-args methods on the target > > object and formats each using the LINE level. > > > > For example, see that the value for Bundle uses LINE format, so resembles > > the output of the lb command (which also uses LINE format): > > > > g! bundle 0 > > Location System Bundle > > State32 > > BundleContextorg.apache.felix.framework.BundleContextImpl@f572ebb > > BundleId 0 > > SymbolicName org.apache.felix.framework > > RegisteredServices [Resolver, PackageAdmin, StartLevel] > > ServicesInUse[StartLevel] > > Version 5.6.10 > > PersistentState 32 > > Bundle 0|Active |0|org.apache.felix.framework > > (5.6.10) > > Revisions[org.apache.felix.framework [0](R 0)] > > LastModified 0 > > Headers [Export-Package=org.osgi.dto; version="1.0.0", > > org.osgi.framework; version="1.8.0", > > -- snip -- > > > > -- > > Derek > > > > > On 13 Nov 2018, at 09:48, Neil Bartlett wrote: > > > > > > There is already a bundle command which returns a Bundle object. The > > > problem is the formatting of that object, which is controlled by > > > the org.apache.felix.service.command.Converter service. > > > > > > The implementation class org.apache.felix.gogo.shell.Converters (from the > > > shell bundle) implements a format method for Bundle objects at the LINE > > and > > > PART detail levels, which is why the output of the lb command doesn't > > look > > > terrible. It seems to lack an implementation for the INSPECT level > > however. > > > > > > Regards, > > > Neil > > > > > > On Tue, Nov 13, 2018 at 9:38 AM Todor Boev wrote: > > > > > >> Hello, > > >> > > >> Can we add a "bundle" command to gogo that will list a readable summary > > for > > >> a target bundle? > > >> Calling BundleContext.getBundle() and looking at the raw object print is > > >> almost useless. > > >> > > >> Also is there any reason this was not done until now? > > >> > > >> Regards, > > >> Todor > > >> > > > > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Running felix container inside another felix container
Hi Casper, it sounds like you are trying to create a subsystem. There is a solution for this in the compendium spec namely, [0]. There is an implementation that (AFAIK) works with felix in [1]. That said, if that is not applicable in your case (e.g., you want even stronger isolation), it should be possible to install the framework wrapped in a bundle - however, you would need to import the org.osgi.* packages from the the outside and set the framework bundle parent of the embedded framework to "framework". Ultimately, if all you want is hide a couple of packages from a couple of bundles you might want to explore using hooks to hide packages and/or bundles from other bundles (see [2] and/or [3]). Which approach serves you best really depends on what your use-case actually looks like. The hooks probably are the most lightweight (but most limited and need you to implement the hidding), the subsystem the most convenient (but more heavyweight then a simple hook), and the embedded framework provides the strongest isolation (at the cost of running a complete framework again and that you have to set it up correctly yourself). Hope that helps, feel free to ask if you need the embedded framework and run into problems. regards, Karl [0] https://osgi.org/specification/osgi.cmpn/7.0.0/service.subsystem.html [1] http://aries.apache.org/modules/subsystems.html [2] https://osgi.org/specification/osgi.core/7.0.0/framework.resolverhooks.html [3] https://osgi.org/specification/osgi.core/7.0.0/framework.bundlehooks.html On Mon, Nov 5, 2018 at 9:17 AM Casper van der Tuin wrote: > > Hi Felix users, > > Our solution consists of a set of bundles running in an Felix container > (Host). We want to open up our part of API for other teams to extends the > solution with additional bundles. As these should not be able to import all > the exports from the other bundles and platform, the idea was to have have a > bundle startup another felix container (Extension) and only export the > packages of our open API for bundles running within this container. However > when protoyping this we ran into the issue that the bundles running within > the Extension container will use the class loader from the Host container > instead of the class loader from the Extension container. Which could make > sense as the Felix classes are contained on the Host. > > We also tried to include the felix jars inside the Extension bundle (to have > the complete felix in the Extension bundle class loader). Unfortunately this > blokced starting up the bundle, as the Activater instantiated in to startup > the Extension bundle is now not created in the same classloader as the where > it is used in the Host container, resulting in a class cast exception. > > Does any one have an idea on how to solve this issue, i.e. so that bundles > runnning in the Extension container will load classes from the class loader > of the Extension container bundle? Or have any other solution to restrict > the imports of some of the bundles running in the Felix container? > > Greetings, > Casper > > > > -- > Sent from: > http://apache-felix.18485.x6.nabble.com/Apache-Felix-Users-f4833200.html > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Felix Http Jetty packaging as uber bundle?
Hi Eric, sorry, I was a bit brief in my last mail (was on my phone). The point is: the TCCL is the mechanism intended for configuring a ServiceLoader. That is how this is supposed to work. The problem typically is that in OSGi it is either not set or its set to the wrong classloader. However, it sounds like in case of our jetty bundle we know what classloader we want namely, the classloader of the bundle. Granted, I might be missing something but it sounds like if set the TCCL to the the bundle classloader we don't need the ServiceLoader mediator involved in our jetty bundle at all (which would be nice as it should be as self-contained a possible). Am I missing some other service case that would require it? Furthermore, I'm not sure I understand you comment about the need to "provide the appropriate alpn-impl bundles that corresponds to your JRE". Don't these jars have to be added to the bootclasspath (in which case, they can't be provided as bundles, no)? regards, Karl On Sun, Jul 15, 2018 at 11:59 PM Eric Norman wrote: > > Hi Karl, > > Perhaps juggling the TCCL around the jetty startup code would workaround > the specific startup error from PreEncodedHttpField, but I don't really > like doing that around such a broad block of someone else's code. It > wouldn't be clear to me that it doesn't have any unintended side effects > now or in the future. > > I guess I can take a closer look at patching the jetty code. A solution > that replaces their usages of ServiceLoader with a ServiceTracker when > running inside of an osgi container would be better in the long run. Plus > that would remove the need for the additional ServiceLoader mediator > bundles which would make the distribution a bit smaller. > > Regards, > Eric > > On Sun, Jul 15, 2018 at 10:28 AM, Karl Pauls wrote: > > > I think you can just set the thread context classloader to the classloader > > of the bundle in the activator and then you don’t need the spifly thingy at > > all anymore... > > > > > > regards, > > > > Karl > > > > On Sunday, July 15, 2018, Eric Norman wrote: > > > > > Hi Carsten, > > > > > > I tried to make it work with an uber bundle by merging in the important > > > stuff. In this case the o.a.felix.http.jetty is both a consumer and a > > > producer of a few ServiceLoader services. > > > > > > Unfortunately, it looks like there is a problem with using the service > > > loader mediator stuff in the uber bundle. The problem is that the spifly > > > osgi.extender listens for new bundles being installed (when the bundle > > > reaches the ACTIVE state) and registers the service providers it > > discovers > > > at that point. > > > > > > However, one of the ServiceLoader.load consumer calls is invoked in the > > > JettyActivator before the o.a.felix.http.jetty has reached the ACTIVE > > > state (see > > > the stack trace below). So in this use case, the producer hasn't > > declared > > > the services yet when the consumer tries to use them. > > > > > > PreEncodedHttpField.() line: 49 > > > MimeTypes$Type.(String) line: 103 > > > MimeTypes$Type.() line: 58 > > > MimeTypes.() line: 191 > > > ServletContextHandler(ContextHandler).doStart() line: 832 > > > ServletContextHandler.doStart() line: 287 > > > ServletContextHandler(AbstractLifeCycle).start() line: 68 > > > ContextHandlerCollection(ContainerLifeCycle).start(LifeCycle) line: 138 > > > ContextHandlerCollection(ContainerLifeCycle).doStart() line: 117 > > > ContextHandlerCollection(AbstractHandler).doStart() line: 113 > > > ContextHandlerCollection.doStart() line: 167 > > > ContextHandlerCollection(AbstractLifeCycle).start() line: 68 > > > Server(ContainerLifeCycle).start(LifeCycle) line: 138 > > > Server.start(LifeCycle) line: 419 > > > Server(ContainerLifeCycle).doStart() line: 108 > > > Server(AbstractHandler).doStart() line: 113 > > > Server.doStart() line: 386 > > > Server(AbstractLifeCycle).start() line: 68 > > > JettyService.initializeJetty() line: 426 > > > JettyService.startJetty() line: 306 > > > JettyService.start() line: 149 > > > JettyActivator.doStart() line: 63 > > > JettyActivator(AbstractActivator).start(BundleContext) line: 39 > > > SecureAction.startActivator(BundleActivator, BundleContext) line: 697 > > > SlingFelix(Felix).activateBundle(BundleImpl, boolean) line: 2240 > > > SlingFelix(Felix).startBundle(BundleImpl, int) line: 2146 > > > SlingFelix(Felix).setActiveStartLevel(int, FrameworkListe
Re: Felix Http Jetty packaging as uber bundle?
eloader" Require-Capability and > > > Provide-Capability attributes from the manifest of the embedded jetty-* > > > bundles when it is repackaged. This makes it so the ServiceLoader code > > is > > > unable to discover the services provided by the jetty-http and the > > > jetty-alpn-* bundles and the jetty HTTP/2 related code fails. > > > > > > In other words, using the jetty-* bundles has everything packaged and > > > declared correctly to utilize the OSGi ServiceLoader mediator patterns, > > but > > > the felix.http.jetty bundle is missing some of the critical details. > > Also, > > > by using the jetty bundles directly, the jetty and felix bundles could > > > evolve at their own pace and felix would not have to re-release a new > > > version of the felix.http.jetty bundle every time a new jetty version > > gets > > > released. > > > > > > I have proven locally that the above scenario works and have gotten the > > > jetty HTTP/2 support to work locally by refactoring to make a "thin" > > > version of the felix.http.jetty bundle that doesn't have a copy of the > > > jetty classes inside of it and then provision the following bundles to > > the > > > OSGi profile: > > > > > > # "thin" felix http jetty without the jetty classes embedded > > > org.apache.felix/org.apache.felix.http.jetty/4.0.3-SNAPSHOT > > > > > > # additional bundles to enable OSGi ServiceLoader mediator support > > > org.ow2.asm/asm-all/5.2 > > > org.apache.aries/org.apache.aries.util/1.1.3 > > > org.apache.aries.spifly/org.apache.aries.spifly.dynamic.bundle/1.0.12 > > > > > > # Jetty bundles > > > org.eclipse.jetty/jetty-servlet/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-server/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-http/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-io/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-util/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-jmx/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-security/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-webapp/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-xml/9.4.11.v20180605 > > > org.eclipse.jetty.websocket/websocket-servlet/9.4.11.v20180605 > > > org.eclipse.jetty.websocket/websocket-api/9.4.11.v20180605 > > > org.eclipse.jetty.websocket/websocket-server/9.4.11.v20180605 > > > org.eclipse.jetty.websocket/websocket-common/9.4.11.v20180605 > > > org.eclipse.jetty.websocket/websocket-client/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-client/9.4.11.v20180605 > > > org.eclipse.jetty.http2/http2-server/9.4.11.v20180605 > > > org.eclipse.jetty.http2/http2-common/9.4.11.v20180605 > > > org.eclipse.jetty.http2/http2-hpack/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-alpn-server/9.4.11.v20180605 > > > > > > # Provide ALPN support for JDK8 (doesn't work for JDK 9+). Also > requires > > > an additional alpn-boot-*.jar to be declared as a "-Xbootclasspath/p" > > > argument to java. > > > org.eclipse.jetty.osgi/jetty-osgi-alpn/9.4.11.v20180605 > > > org.eclipse.jetty/jetty-alpn-openjdk8-server/9.4.11.v20180605 > > > > > > # Alternatively, exclude the JDK8 bundles and provide support for ALPN > > > based on support baked into the runtime for JDK9+ (doesn't work for JDK > > > 8). No alpn-boot-*.jar is required. > > > #org.eclipse.jetty.alpn/alpn-api/1.1.3.v20160715 > > > #org.eclipse.jetty/jetty-alpn-java-server/9.4.11.v20180605 > > > > > > # Alternatively, exclude the JDK8/JDK9 ALPN impl bundles and provide > > > support for ALPN based on the conscrypt impl (NOTE: I haven't gotten > this > > > one to work yet). > > > # > > > org.apache.servicemix.bundles/org.apache.servicemix.bundles. > > conscrypt-openjdk/1.0.1_1 > > > #org.eclipse.jetty/jetty-alpn-conscrypt-server/9.4.11.v20180605 > > > > > > > > > FYI: I've stashed the changes to the felix.http.jetty code at [1] if > you > > > wish to review. > > > > > >1. > > >https://github.com/enapps-enorman/felix/commit/ > > 76adf9d3a445cb620d2baa9fd1155f5e25aa3ca5 > > > > > > > > > Please let me know if you have any thoughts on this. > > > > > > Regards, > > > Eric Norman > > > > > -- > > Carsten Ziegeler > > Adobe Research Switzerland > > cziege...@apache.org > > > > - > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > > For additional commands, e-mail: users-h...@felix.apache.org > > > > > -- Karl Pauls karlpa...@gmail.com
Re: is current version of Maven-Bundle-Plugin aware of @ComponentPropertyType from DS 1.4?
On Tue, Jul 3, 2018 at 10:24 PM Raymond Auge wrote: > > ComponentPropertyTypes only start to be recognized with bnd 4.0.0 and will > be fully with, as yet released, bnd 4.1.0. > > Since the latest maven-bundle-plugin 3.5.0 only uses bnd 3.5.0 it's not > handled (note the versions are kept in sync for convenience). Right, I guess we should try to at release a maven-bundle-plugin 4.0.0 soonish. (I believe you can override the bnd version that is going to be used by overriding the bndlib dependency of the maven-bundle-plugin but I might be wrong) regards, Karl > Sincerely, > - Ray > > > On Tue, Jul 3, 2018 at 3:28 PM, Cristiano wrote: > > > hello, > > > > I'm trying to play with DS 1.4 @ComponentPropertyType. > > > > I've created an annotation: > > > > @ComponentPropertyType > >> public @interface Config { > >> > >> /** > >> * @return > >> */ > >> String participant_id(); > >> } > >> > > > > then I tried to use it in activate method: > > > > @Activate > >> @Config(participant_id = "category") > >> @Override > >> protected void activate(ComponentContext pInjectedComponentContext, > >> Map pProperties, > >> DsConfigParticipant pConfigProperties) > >> {...} > >> > > > > but M-B-P gives me an manifest generation exception: > > > > [ERROR] Manifest br.com.c8tech.osgi:br.com.c8te > >> ch.osgi.core:jar:0.1.1-SNAPSHOT : Activate method for > >> c8tech.osgi.core.internal.configuration.ComponentCategoryServiceProvider > >> descriptor ()Ljava/lang/String; is not acceptable. > >> > > > > > > thanks, > > > > Cristiano > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > > For additional commands, e-mail: users-h...@felix.apache.org > > > > > > > -- > *Raymond Augé* <http://www.liferay.com/web/raymond.auge/profile> > (@rotty3000) > Senior Software Architect *Liferay, Inc.* <http://www.liferay.com> > (@Liferay) > Board Member & EEG Co-Chair, OSGi Alliance <http://osgi.org> (@OSGiAlliance) -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: How to download / install Felix?
Looks like the download link in the list [1] was broken. I fixed it. If you have a look again (or use the download link from the navigation menu on the left) you should get to https://felix.apache.org/downloads.cgi where you can download the framework with a shell (Felix Framework Distribution). Thanks for pointing out the broken link! regards, Karl On Mon, May 28, 2018 at 4:26 PM, Peter Nabbefeld <peter.nabbef...@gmx.de> wrote: > > Hi, > > I just want to download and install Felix, but I'm running into broken links > and missing packages: > > [1] https://felix.apache.org/documentation/getting-started.html > (a) The "Downloads" link in the list does not work for me. > (b) The "Downloads" link from navigation leads me e.g. to > "http://mirror.yannic-bonenberger.com/apache/; or any other mirror with the > same directory structure. > First: The link points to the parent directory. > Second: From the description, there should be some file > "felix-framework-*.zip". Instead, there's a bunch of jar files without any > documentation. > Third: There's a file "apache-felix-karaf-1.6.0.zip" which might contain > some useful code, but it's not documented. > > [2] https://cwiki.apache.org/confluence/display/FELIX/downloads > (a) Broken download links, too. > (b) Mirrors same as [1]. > > So, where and how can I download and install Felix, and how can I run it > using the console after installation? > > Kind regards > Peter > > > ----- > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Resolving to micro version
ect cap service 9 (correct one) >> >> rbl-osgi [9] provides: >> >> -- >> >> service; com.basistech.rbl.osgi.RblRosetteComponentService with >> properties: >> >> ... >> >> >> >> I can see the same thing for the bundle 10. >> >> [ 10] com.basistech.rbl.osgi.impl.BlComponentService enabled >> >>[ 5] [satisfied ] >> >> >> >> >> >> Export: >> >> com.basistech.rbl.osgi {version=7.24.0.c592} >> >> >> >> (from 7.24.104) >> >> com.basistech.rbl.osgi {version=7.24.104.c592} >> >> >> >> Importing side: >> >> com.basistech.rbl.osgi {version=[7.24.0,7.24.1)} >> >> >> >> >> >> On Tue, Apr 3, 2018 at 5:27 PM, Neil Bartlett <njbartl...@gmail.com> >> >> wrote: >> >> >> >>> >> >>>> On 3 Apr 2018, at 22:17, Katsuya Tomioka <katsuya.tomi...@gmail.com> >> >>> wrote: >> >>>> >> >>>> Felix users, >> >>>> >> >>>> I have same bundles (say "A") installed only different by micro >> >> versions, >> >>>> 7.24.0 and 7.24.100. I have then another ("B") imports packages from >> >> "A" >> >>>> such that: "[7.24.0,7.24.1)". This works fine if I installed 7.24.0 >> >> only. >> >>>> But soon as 7.24.100 installed, the bundle B fails to resolve with >> >>>> unresolved requirements. >> >>>> >> >>>> Would that be possible to resolve the bundle B even with both versions >> >>> of A >> >>>> installed? Or is even allowed in the spec? >> >>> >> >>> This is definitely possible. >> >>> >> >>> Please post the actual error message so that we can work out what is >> >>> happening. It would also be helpful to see: >> >>> >> >>> * the list of bundles; >> >>> * the exact exports of the “A” bundles, and; >> >>> * the exact imports of the “B” bundle. >> >>> >> >>> Regards, >> >>> Neil >> >>> >> >>> >> >>>> >> >>>> Thanks, >> >>>> >> >>>> -Katsuya >> >>> >> >>> >> >>> - >> >>> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org >> >>> For additional commands, e-mail: users-h...@felix.apache.org >> >>> >> >>> >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org >> For additional commands, e-mail: users-h...@felix.apache.org >> >> -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Dex Oat Felix Android
Yeah, our android support is pretty old and I was thinking for a while that we probably would need to rework it based on a PathClassLoader. I just never had the time/motivation to look into it. Can you maybe create a JIRA issue for it and I'll try to get to it (obviously, patches are welcome :-). regards, Karl On Thu, Mar 29, 2018 at 1:10 AM, Jörg Wille <joerg.wi...@gmail.com> wrote: > I am trying to run Felix on Android 8.1, targeting API 27. > I have dexified my test-bundle with this > <https://github.com/luoqii/felix-on-android/blob/master/dexify.sh> script. > Felix does start and the bundle gets successfully installed > (context.installBundle(url, is)). > But when I try to start the bundle I get following exception: > > Opening an oat file without a class loader. Are you using the deprecated > DexFile APIs? > > The DexFile is being used by Felix in > Class org.apache.felix.framework.BundleWiringImpl (1342) and I have read > <https://developer.android.com/reference/dalvik/system/DexFile.html> that > the DexFile class is deprecated since Android API 26. > But although deprecated, I checked that this class is still part of the API > 27, so this felix code should actually still work. > > Could the above exception have to do with using Android 8.1 API 27? > Has anyone had success running Felix on Android 8.1? Is there a example > code for running felix on (any version of) Android? > Or am I missing something? Do I maybe have to also "OATify" the bundle > before I can load it? > > Best regards, > Jörg -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Felix startup performance on Windows due to secure random and network card MAC access
I think we could probably just switch to using java.util.Random instead of SecureRandom. Could you open a jira issue for this? regards, Karl On Thu, Mar 22, 2018 at 11:45 PM, Brad Wood <bdw4...@gmail.com> wrote: > Hi all, first time poster here. I'm working on a CLI project called > CommandBox ( https://www.ortussolutions.com/products/commandbox ) which is > based on a JSR-223 implementation of the JVM language Lucee Server ( > http://lucee.org/ ). Lucee uses Apache Felix internally when it starts up > and on my Windows machines I'm seeing a significant slowdown in startup > time due to accessing my Windows network adapter in order to read the Mac > address as part of SecureRandom which is used to generate a UUID for each > Felix instance. > > By significant slowdown, I'm talking about 1.5 seconds, which may go > unnoticed in a server startup, but is a week in CLI-startup years. :) Java > libs that want to access my network adapter's Mac address are a common > nemesis of my startup times, mostly due to Windows sucking from what I can > tell. > > This line here is where things start to go south: > https://github.com/apache/felix/blob/trunk/framework/src/main/java/org/apache/felix/framework/Felix.java#L675 > > And the stack traces usually look similar to this right here: > > java.lang.Thread.State: RUNNABLE > at java.net.NetworkInterface.getMacAddr0(Native Method) > at java.net.NetworkInterface.getHardwareAddress(NetworkInterface.java:460) > at > sun.security.provider.SeedGenerator.addNetworkAdapterInfo(SeedGenerator.java:238) > at sun.security.provider.SeedGenerator.access$000(SeedGenerator.java:80) > at sun.security.provider.SeedGenerator$1.run(SeedGenerator.java:183) > at sun.security.provider.SeedGenerator$1.run(SeedGenerator.java:168) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.security.provider.SeedGenerator.getSystemEntropy(SeedGenerator.java:168) > at > sun.security.provider.SecureRandom$SeederHolder.(SecureRandom.java:201) > at sun.security.provider.SecureRandom.engineNextBytes(SecureRandom.java:221) > - locked <0x0007415f5f40> (a sun.security.provider.SecureRandom) > at java.security.SecureRandom.nextBytes(SecureRandom.java:468) > at org.apache.felix.framework.util.Util.randomUUID(Util.java:795) > at org.apache.felix.framework.Felix.init(Felix.java:675) > at org.apache.felix.framework.Felix.init(Felix.java:626) > at org.apache.felix.framework.Felix.start(Felix.java:964) > ... unrelated bootstrapping code... > > Based on the comments and a quick review of the code, I'm guessing the > generation of a UUID of some sort is unavoidable. What are the > chances of switching to some other, much faster library for UUID > generation that doesn't need to drop down the rabbit hole of asking my > Windows networking stack for a Mac address? This will make a huge > difference in my CLI startup times for sure. > > Perhaps a library like this could be used: > > https://github.com/jchambers/fast-uuid > > Thanks! > > ~Brad > > *Developer Advocate* > *Ortus Solutions, Corp * > > E-mail: b...@coldbox.org > ColdBox Platform: http://www.coldbox.org > Blog: http://www.codersrevolution.com -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: [Framework] Using the bundle: URL handler when felix.service.urlhandlers=false
No. Unfortunately, that is not possible. regards, Karl On Thu, Mar 22, 2018 at 4:13 PM, David Bosschaert <david.bosscha...@gmail.com> wrote: > Hi all, > > If the URL handlers are disabled via the felix.service.urlhandlers=false, > is there a way to manually register Felix's framework handler for the > bundle: URL scheme? > > Normally you'd register these with the > java.protocol.handler.pkgs/java.content.handler.pkgs > properties. [1] describes how to do this for the things like file: and > http:... I briefly looked at the code but did not see an obvious way to > register the bundle: protocol in this way... Is this possible? > > Many thanks, > > David > > [1] http://felix.apache.org/documentation/subprojects/ > apache-felix-framework/apache-felix-framework-faq.html#why- > do-i-get-an-unknown-protocol-http-exception-when-i-run- > felix-on-a-non-sun-jre -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Replace ResourceServlet
On Mon, Feb 12, 2018 at 4:22 PM, Thomas Driessen <thomas.driessen...@gmail.com> wrote: > Hi, > > I'm currently trying to get Vaadin to work within OSGi and for this purpose > I'm using felix http as webserver. > > My current setup looks like this: > I have a ResourceTracker that tracks all themes/widgetsets/resources and > registers them according to the Vaadin scheme as resources via: > > > http.registerResources("/vaadin-8.2.1/VAADIN/path/to/resource", > "/VAADIN/path/to/resource", new MySpecialContext()); > > This works fine for production mode where all scss files are compiled to > css. > > The problem is in debug mode, where Vaadin offers an on-the-fly compilation > from scss to css. For this purpose Vaadin states one should register a > VaadinServlet under "/VAADIN/*" (or "/vaadin-8.2.1/VAADIN/*" in an OSGi > context) that takes care of compiling scss files on the fly if the > corresponding css files can not be found. > > The problem is: > > When I register a Vaadin servlet under "/vaadin-8.2.1/VAADIN/*" then this > servlet is never used. I might not remember correctly but IIRC, you are not supposed to put a "/*" at the end of the alias. Can you try to register the servlet with an alias of: "/vaadin-8.2.1/VAADIN" and see if that works? regards, Karl > Requests to > "localhost:8080/vaadin-8.2.1/VAADIN/path/to/resource" are still handled by a > ResourceServlet (DefaultServlet?) which, of course, is not able to find the > non-existent css files. > > Is there a way to tell felix http to use a custom servlet instead of its > default resource servlet? > > Kind regards, > Thomas -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Felix and JavaFX
Additionally, the JavaFX exports should now be available on java9 ootb (assuming the modules are on the module path). As Neil correctly points out, the reason they are not on older version is exactly that - we don't know if they are there or not. With java9, we can detect that (and we do starting with Felix Framework 5.6.10). regards, Karl On Tue, Dec 12, 2017 at 4:03 PM, Neil Bartlett <njbartl...@gmail.com> wrote: > That's pretty easy to answer. > > Felix by default exports all standard Java SE packages. JavaFX is not part > of Java SE, it is an extension that is only available on a subset of Java > implementations. > > Neil > > On 12 Dec 2017 2:56 pm, "Chuck Davis" <cjgun...@gmail.com> wrote: > >> Hi Kerry: >> >> Thanks for the note. Old indeed. I don't remember anything I learned >> from that project (though I did keep the modules). I did get it to work by >> including the module somebody mentioned. It seems so easy, looking at that >> module, I can't understand why Felix doesn't do the export for JavaFX so >> that it's not even an issue -- at least an option that can be turned on or >> off, installed or uninstalled or some such and stop the necessity of all >> the work-arounds on which developers are having to waste their time. >> >> If I revisit OSGi I'll take a look at your project if Felix hasn't fixed >> the issue yet at the time. >> >> Thanks. >> >> CD >> >> On 12/12/2017 05:19 AM, Kerry wrote: >> >>> Hi Chuck, >>> >>> I realise that this is a response to an old message of yours but I have a >>> GitHub project that may be of interest to you that brings OSGi to JavaFx. >>> >>> https://github.com/jtkb/osgifx >>> >>> It aims to be simpler than Drombler and is agnostic to the OSGi >>> implementation. It is still a work in progress but check the examples and >>> integration-test modules to see how to use it. I have currently tested it >>> with Apache karaf which obviously used Apache Felix but plan to add tests >>> for other implementations too. >>> >>> If you try it out any comments you have or improvements are welcome. Any >>> issues also just ask. I'm in the process of improving the documentation at >>> the moment. >>> >>> Kerry >>> >>> Sent from BlueMail >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org >> For additional commands, e-mail: users-h...@felix.apache.org >> >> -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: boot/classloader delegation not working?
Hi Max, I think you are using the wrong FRAMEWORK_BUNDLE_PARENT. In your example, you use: FRAMEWORK_BUNDLE_PARENT_APP - which happens to be the system classloader. I would guess you want FRAMEWORK_BUNDLE_PARENT_FRAMEWORK - which would be the classloader that loaded the framework. Does this help? regards, Karl On Thu, Oct 12, 2017 at 2:36 PM, Maximilian Schmidt <maximilian.schm...@secunet.com> wrote: > Hi *, > > I'm currently working on getting Felix (5.6.8) embedded in an existing > non-OSGI application. I'd like to force bundles to use several classes > and packages already known to the application classloader. This is > mainly due to memory- and classloading-footprint, but also greatly eases > maintainance of bundles and their dependencies (well, for our limited > purpose at least). > > As far as I understood, there are two ways to archive this: either by > using classloader-delegation or by providing > org.osgi.framework.system.packages.extra. > > For now, we decided to use boot-delegation as it allows for use of > wildcards, instead of specifying each an every (sub-)package. However, > although the setup is straight-forward it simply does not work. > > For example, to provide global logging frameworks to all bundles: > Map<Object, Object> configMap = new HashMap<Object, Object>(); > // use the current classloader to provide logging > configMap.put(Constants.FRAMEWORK_BOOTDELEGATION, > "org.slf4j.*,ch.qos.logback.*"); > configMap.put(Constants.FRAMEWORK_BUNDLE_PARENT, > Constants.FRAMEWORK_BUNDLE_PARENT_APP); > // more initialization > ... > Felix felix = new Felix(configMap); > // there we go > felix.start() > > Now, a bundle that gets installed and started just fine will throw CNF > Exceptions as soon as a service class using org.slf4j... is > instantiated, although those are provided by the application classloader. > > The stacktrace contains: > Caused by: java.lang.ClassNotFoundException: *** Package 'org.slf4j' is > not imported by bundle support-33x [1], nor is there any bundle that > exports package 'org.slf4j'. However, the class > 'org.slf4j.LoggerFactory' is available from the system class loader. > There are two fixes: 1) Add package 'org.slf4j' to the > 'org.osgi.framework.system.packages.extra' property and modify bundle > support-33x [1] to import this package; this causes the system bundle to > export class path packages. 2) Add package 'org.slf4j' to the > 'org.osgi.framework.bootdelegation' property; a library or VM bug can > cause classes to be loaded by the wrong class loader. The first approach > is preferable for preserving modularity. *** > at > org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2031) > at java.lang.ClassLoader.loadClass(ClassLoader.java:357) > ... 294 more > Caused by: java.lang.ClassNotFoundException: org.slf4j.LoggerFactory not > found by support-33x [1] > at > org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1610) > at > org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:80) > at > org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:2018) > > Any idea, what went wrong or where to go from here? > > Thanks in advance! > Kind regards, > Max > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Felix: bundle double update with osgi refresh
On Saturday, May 13, 2017, Alex Sviridov <ooo_satu...@mail.ru.invalid> wrote: > > Hi Karl > > Thank you for your answer. I've tested your solution. I did the following > steps: > -stopped bundleA > -updated bundleA > -started bundleA > However, BundleB is still using old classes from bundleA after all steps. > > How can I make BundleB use new classes (automatically) and not to restart > bundleA twice? As Rick mentioned, you have to explicitly refresh inbetween- sorry for not being clear about that. The sequence must be: stop, update, refresh, start. You can read more about the why here: http://felix.apache.org/documentation/tutorials-examples-and-presentations/apache-felix-osgi-faq.html#when-i-update-my-bundle-why-are-my-bundles-old-classes-still-being-used regards, Karl > >Пятница, 12 мая 2017, 14:38 +03:00 от Karl Pauls <karlpa...@gmail.com > <javascript:;>>: > > > >> For example I have a running osgi framework with two bundles: bundleA > and bundleB > >> which jars are in JARS folder. BundleB depends on BundleA. Now I > replace bundleA jar > >> in JARS folder. > >> > >> Is there any way to refresh framework (there is new version of bundleA > in JARS folder) > >> and not to start/stop bundleA twice? > > > >Yes, you basically don't just update() but call stop() then update() > >and finally start() on bundleA again. > > > >regards, > > > >Karl > > > >> Best regards, Alex > >> > >> > >>>Среда, 10 мая 2017, 16:55 +03:00 от "Richard S. Hall" < > he...@ungoverned.org <javascript:;> >: > >>> > >>>On 5/10/17 08:16 , Alex Sviridov wrote: > >>>> Hi all > >>>> > >>>> I use Apache Felix 5.4.0 and I have two bundles: bundleA and bundleB. > BundleB depends on bundleA. > >>>> > >>>> I update bundleA and after that run the following code to do osgi > refresh: > >>>> > >>>> Bundle systemBundle = bcx . getBundle ( 0 ); > >>>> FrameworkWiring frameworkWiring = systemBundle . adapt ( > FrameworkWiring . class ); > >>>> frameworkWiring . refreshBundles ( null ); > >>>> (from here http://stackoverflow.com/a/23361835/5057736 ) > >>>> > >>>> This code does the following: it stops and starts bundleA and stops > and starts bundleB. > >>>> > >>>> But why bundleA? I am asking because in result bundleA is two times > updated. Is this a bug or what? > >>> > >>>The first stop/start is when you do the update, the second is when you > >>>do the refresh. The former is historical, since that is the way update() > >>>was defined in the first version of the spec (I believe). Later versions > >>>of the spec where refreshing was introduced didn't change this behavior > >>>for backward compatibility reasons. > >>> > >>>If refresh were there from the beginning, then it would have likely been > >>>better to have update() simply prepare the updated version and refresh > >>>enact it. > >>> > >>>-> richard > >>> > >>>> > >>>> Best regards, Alex > >>> > >>> > >>>- > >>>To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > <javascript:;> > >>>For additional commands, e-mail: users-h...@felix.apache.org > <javascript:;> > >>> > >> > >> > >> -- > >> Alex Sviridov > > > > > > > >-- > >Karl Pauls > >karlpa...@gmail.com <javascript:;> > > > -- > Alex Sviridov > -- Karl Pauls karlpa...@gmail.com
Re: Re[2]: Felix: bundle double update with osgi refresh
> For example I have a running osgi framework with two bundles: bundleA and > bundleB > which jars are in JARS folder. BundleB depends on BundleA. Now I replace > bundleA jar > in JARS folder. > > Is there any way to refresh framework (there is new version of bundleA in > JARS folder) > and not to start/stop bundleA twice? Yes, you basically don't just update() but call stop() then update() and finally start() on bundleA again. regards, Karl > Best regards, Alex > > >>Среда, 10 мая 2017, 16:55 +03:00 от "Richard S. Hall" <he...@ungoverned.org>: >> >>On 5/10/17 08:16 , Alex Sviridov wrote: >>> Hi all >>> >>> I use Apache Felix 5.4.0 and I have two bundles: bundleA and bundleB. >>> BundleB depends on bundleA. >>> >>> I update bundleA and after that run the following code to do osgi refresh: >>> >>> Bundle systemBundle = bcx . getBundle ( 0 ); >>> FrameworkWiring frameworkWiring = systemBundle . adapt ( FrameworkWiring . >>> class ); >>> frameworkWiring . refreshBundles ( null ); >>> (from here http://stackoverflow.com/a/23361835/5057736 ) >>> >>> This code does the following: it stops and starts bundleA and stops and >>> starts bundleB. >>> >>> But why bundleA? I am asking because in result bundleA is two times >>> updated. Is this a bug or what? >> >>The first stop/start is when you do the update, the second is when you >>do the refresh. The former is historical, since that is the way update() >>was defined in the first version of the spec (I believe). Later versions >>of the spec where refreshing was introduced didn't change this behavior >>for backward compatibility reasons. >> >>If refresh were there from the beginning, then it would have likely been >>better to have update() simply prepare the updated version and refresh >>enact it. >> >>-> richard >> >>> >>> Best regards, Alex >> >> >>- >>To unsubscribe, e-mail: users-unsubscr...@felix.apache.org >>For additional commands, e-mail: users-h...@felix.apache.org >> > > > -- > Alex Sviridov -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: Avoiding copying jars in the bundle cache?
Felix does support this. Just install the bundles with a reference: protocol. E.g.: reference:file:foo/bar.jar regards, Karl On Saturday, April 29, 2017, <list+org.apache.fe...@io7m.com> wrote: > Hello. > > I have a somewhat unusual application where I have rather large and > frequently updated bundles (the bundles themselves are simple, but > contain fairly large data resources). Because of this, I'd like to > avoid copying the jar files into the bundle cache when bundles are > installed as that effectively ends up using double the disk space (the > bundles to be deployed are kept in a read-only directory and I don't > have any guarantee that old bundles will be deleted in a timely manner). > From what I can tell, Felix can't do this right now, but is there any > pleasant way that I could implement this? > > M > -- Karl Pauls karlpa...@gmail.com
Re: Not able to open through console
I just tried and it looks like the new gogo-jline shell isn't working on windows. The error is a cnf org.fusesource.jansi.WindowsAnsiOutputStream I created FELIX-5569 for this. regards, Karl On Sun, Feb 26, 2017 at 6:57 PM, Neil Bartlett <njbartl...@gmail.com> wrote: > What error? > > >> On 26 Feb 2017, at 10:00, Jay Trivedi <welcome...@gmail.com> wrote: >> >> Hi all, >> >> I downloaded latest felix-framework--5.6.2, in windows 7 and while hitting >> command to start felix i was not able to start it-it failed with following >> error. >> >> Can you let me know how to resolve it or how to look into source code. >> >> >> >> Regards, >> Jay Trivedi >> >> - >> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org >> For additional commands, e-mail: users-h...@felix.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org
Re: how to enable felix verify the contents of a signed bundle
If I understand you correctly you want to: a) prevent any bundle to open any socket b) prevent bundles not signed by your certificate from being installed In regard to a, can't you just put a DENY java.net.SocketPermission at the beginning of your policy? In regard to b, I guess the best I can think of in a hurry is to first grant AdminPermission["signer=CN=XZX,O=XYX,C=XX",LIFECYCLE] and then DENY AdminPermission["*",LIFECYCLE] Keep in mind that the permission order is important hence, if you e.g. for b first allow AdminPermission LIFECYCLE for bundles signed by your CA and then DENY AdminPermission it basically will only allow to install bundles signed by your CA. Does this help? regards, Karl On Thu, Sep 15, 2016 at 11:38 AM, sid19039 <sid19...@gmail.com> wrote: > > Hello @Karl and @Robert, again thank you so much for your help. > And I am sorry for this late reply for I got occupied in other priority > activities. > Yeah , I tried Robert's point and it worked well. > We created our security bundle which reads the following policy file to > bring it into picture via ConditionalPermissionAdmin. > policy file: > ALLOW { >[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX, > C=XX" ] >( java.security.AllPermission "*" "*") > } "Bundles Signed by XZX certificate get AllPermission" > ALLOW { > [org.osgi.service.condpermadmin.BundleLocationCondition > "file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"] > (java.security.AllPermission "*" "*") > } "Existing bundles of felix" > DENY { >(java.security.AllPermission "*" "*") > } "And give denied permissions to all bundles" > > In above set of permissions, first ALLOW set of permissions gives all > permission to all bundles which are signed by our certificate. Second set of > permissions assign all permissions to all those bundles which are already > present in felix framework default bundle directory. And Third set denies > all permissions to all those bundles which are not signed by our certificate > or which are unsigned and which are not present in default bundle directory > of felix framework. > > Now, signed bundles are successfully installed, become active and run fine > with all permission granted. > But we want to restrict all running bundles to not able to access any > ethernet port on device inside which our felix framework is running. How can > we deny this particular permission to a bundle? > > Moreover, a bundle which is not signed or signed with any other certificate, > also gets installed in the framework without giving any security exception, > though an *unresolved exception as shown below*, appears on the console when > we try to start this unsigned bundle: > > *org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R > 14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package; > (&(osg > i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved > requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package; > (&(osgi.wiring.package=o > rg.osgi.framework)(version>=1.3.0))]* > > Is there any way to prevent these unsigned bundles or bundles signed with > other certificates from even being installed into the framework? > > > Regards > Siddharth > > > > > > > > -- > View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com
Re: Felix container and Java SecurityManager -- does the container always implement security
I guess I'm not 100% sure I understand what you are asking exactly. Let me first try to explain what the different options are and then try to answer what I think you are asking. If there is a security manager installed the framework will do permission checks where the spec mandates it. However, assuming you didn't install the framework.security provider, all bundles will have AllPermission by default -- except, if you have set felix.security.defaultpolicy=true. In that case, your security policy will be consulted for bundles as well. Hence, if you want behavior just as some ordinary library in an application with a security manager you probably want to _not_ install the framework.security provider and set felix.security.defaultpolicy=true (either as a -D property or as one passed to the felix constructor). That in turn will make it so that you _do_ get permission checks triggered from Felix as well as potentially from bundles which you can grant (or deny by omission, respectively) via your security policy. Otherwise, if you just don't want failing permission checks then, don't install the framework.security provider and _don't_ set felix.security.defaultpolicy. That will make it so that you _do_ get permission checks triggered from Felix as well as potentially from bundles but at least bundles will have AllPermission by default (hence, all you need to do in your policy is to give felix.jar and your external code that calls into Felix permissions). If, on the other hand, you don't want _any_ permission checks triggered by felix despite a security manage being around the answer is: no - thats not possible. regards, Karl On Wed, Sep 21, 2016 at 10:48 PM, Benson Margulies <ben...@basistech.com> wrote: > I'd like to run a Felix container as if it was just some ordinary > piece of an application inside of a security manager; I don't want any > security manager checks or behaviors from the container. Can I do > this, or does the container always interact with the SecurityManager > if there is one? > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com
Re: how to enable felix verify the contents of a signed bundle
Hi Siddharth, as Robert is correctly pointing out: the next step is to actually define your security policy. His example gives all permission to all bundles that are correctly signed by a given certificate. Granted, that might be a little broad but it would be a start. If you tell us more about what you are actually try to get working we probably could help you with a more specific policy (e.g., there is a way to only give install permission for bundles that are signed iirc). regards, Karl On Mon, Aug 22, 2016 at 6:53 PM, Robert Onslow <robert.ons...@gmail.com> wrote: > Sid > Did you try my recipe? > Robert > > On Mon, Aug 22, 2016 at 8:12 AM, sid19039 <sid19...@gmail.com> wrote: > > Hello > > @Robert and @Karl, Thank you so much for your answers. > > > > Via > > -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar > > -Dfelix.keystore.type=jks > > I am able to verify the bundle against its signature now. First, i was > > mentioning the path to keystore file as > > -Dfelix.keystore=file:my.keystore, didn't know absolute path is > required to > > be given, but then i mentioned the absolute path to my.keystore file as > > -Dfelix.keystore=file:/D:A/B/my.keystore then i was able to verify the > > signed bundle successfully. > > But the problem is : an unsigned bundle is still being allowed to be > > installed into the framework. > > Also if i remove any of .SF and .DSA file or both files from jar file > then > > again no error occured while installing the jar file and it installed > > successfully. > > Is there any another configuration left to be set which prevents unsigned > > bundle from being installed and show error on console? > > please share view points. > > > > Thanks > > siddharth > > > > > > > > > > -- > > View this message in context: http://apache-felix.18485.x6.n > abble.com/how-to-enable-felix-verify-the-contents-of-a- > signed-bundle-tp5018089p5018178.html > > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > > For additional commands, e-mail: users-h...@felix.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com
Re: how to enable felix verify the contents of a signed bundle
Hi Siddharth, I'm not sure what is going on exactly but I'm guessing you signed the bundle with a certificate that felix doesn't know about (i.e., its not trusted). Could you try to import your root certificate into a keystore as a trusted certificate and point felix to that keystore like this: -Dfelix.keystore=file:certificates.ks -Dfelix.keystore.pass=foobar -Dfelix.keystore.type=jks and see if that makes a difference? If it doesn't help, could you maybe share a failing set-up with me? regards, Karl On Tue, Aug 16, 2016 at 1:31 PM, sid19039 <sid19...@gmail.com> wrote: > > Hello , > > Could someone please tell how can i use this felix framework security > bundle(mentioned in above posts) for signature verification? > Do i need to declare any package provided by this security bundle into > import-package manifest header of my bundle to enable it? > From now onward, i am not able to find any direction where to proceed. > Please someone tell how i can proceed further. > > Thanks > Siddharth > > > > -- > View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018116.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: how to enable felix verify the contents of a signed bundle
Hi sid, see inline: > after installing , i tried to start it as shown above but its state was > still shown as Resolved, > *5|Resolved |1|Apache Felix Security Provider (2.4.0)|2.4.0* > this is ok - the security provider is an extension bundle. > then i tried to install a sample corrupt jar file which was signed earliar > using jarsigner tool provided by jdk 6 present on my windows machine. *I > was > expecting that this bundle won't install and some security exception would > appear on the shell. > But it was installed and a bundleid was allocated successfully as shown > below:* > g! > g! install my_tempered3.jar > Bundle ID: 6 > g! > > please tell , did i get wrong somewhere or missed some step ? > How do you know it is corrupt? regards, Karl > Or what are the steps to enable signature verification in felix framework? > > i am a newbie here, please someone do share your view points. > > Thanks > sid > > > > > > > > > > > -- > View this message in context: http://apache-felix.18485.x6. > nabble.com/how-to-enable-felix-verify-the-contents-of- > a-signed-bundle-tp5018089.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com
Re: felix bundle security
Yes, that should be possible. If you create a custom condition it will get passed in the Bundle object in question for evaluation. That is when you could inspect the bundle. Next, all you need to do is to basically start with a security policy that only grant permissions to bundles that pass your custom condition. You can have a look at this example for a custom condition and how to use it: https://github.com/mcculls/osgi-in-action/tree/master/chapter14/combined-example regards, Karl On Wed, May 18, 2016 at 4:37 PM, Stephen Higgs <shi...@redhat.com> wrote: > So I could write my own logic that checks the bundle via a "custom > condition"? That would be perfect - is there a resource that you would > recommend that shows how to implement a custom condition? > > Thanks! > > --Stephen > > - Original Message - > From: "Karl Pauls" <karlpa...@gmail.com> > To: users@felix.apache.org > Sent: Wednesday, May 18, 2016 9:34:28 AM > Subject: Re: felix bundle security > > Hm, I guess you could do that, yes. However, are you sure you want to > implement your own provider? If you are running with security enabled, why > not just use the existing provider and write your own custom condition that > checks the bundle? > > regards, > > Karl > > On Wed, May 18, 2016 at 2:54 PM, Stephen Higgs <shi...@redhat.com> wrote: > > > [Note - Originally Sent to Karaf users list, but may be more appropriate > > for the felix users list] > > > > Hi all, > > > > If I wanted to implement custom logic to examine bundles that are > > installed for security purposes, would the following be appropriate? > > > > 1) set org.osgi.framework.security=osgi > > 2) create an implementation of > > org.apache.felix.framework.ext.SecurityProvider > > 3) add the new security provider to startup.properties > > > > Would this achieve the desired ability to checkBundle() for all bundles > > during startup and thereafter? > > > > Thank you, > > > > Stephen Higgs > > > > - > > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > > For additional commands, e-mail: users-h...@felix.apache.org > > > > > > > -- > Karl Pauls > karlpa...@gmail.com > http://twitter.com/karlpauls > http://www.linkedin.com/in/karlpauls > https://profiles.google.com/karlpauls > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix bundle security
Hm, I guess you could do that, yes. However, are you sure you want to implement your own provider? If you are running with security enabled, why not just use the existing provider and write your own custom condition that checks the bundle? regards, Karl On Wed, May 18, 2016 at 2:54 PM, Stephen Higgs <shi...@redhat.com> wrote: > [Note - Originally Sent to Karaf users list, but may be more appropriate > for the felix users list] > > Hi all, > > If I wanted to implement custom logic to examine bundles that are > installed for security purposes, would the following be appropriate? > > 1) set org.osgi.framework.security=osgi > 2) create an implementation of > org.apache.felix.framework.ext.SecurityProvider > 3) add the new security provider to startup.properties > > Would this achieve the desired ability to checkBundle() for all bundles > during startup and thereafter? > > Thank you, > > Stephen Higgs > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Space issues with Felix
Hi Rasmus, as long as you don't specify the "uninstall" action to felix.auto.deploy you should be able to delete the bundles from the bundle folder after they have been installed into the felix cache. The felix cache shouldn't be invalidated (unless you specific to clean it on framework start or delete it yourself). However, this is obviously a little tricky as you can't update the bundles easily anymore after you remove them from the bundle folder. Alternatively, you can use the "reference:" protocol to install your bundles. If you install a bundle with a url of "reference:file:..." it will not copy the bundle jar into the cache but keep referencing it from its original location (this is not spec but iirc, supported by Felix, Equinox, and KF). Unfortunately, there is no way to have felix do that automagically together with the felix.auto.deploy - hence, you'd either have to list the urls yourself in the config or you'd have to write your own / patch our AutoProcessor ( https://svn.apache.org/repos/asf/felix/trunk/main/src/main/java/org/apache/felix/main/AutoProcessor.java). I guess you could easily add a property to tell felix to install all bundles using the reference: protocol (patches are welcome :-). regards, Karl On Mon, Apr 25, 2016 at 10:48 AM, Rasmus Nørby Jakobsen < r...@universal-robots.com> wrote: > Hi Felix Users > > We have a setup using felix.auto.deploy.dir with the Install and Start > actions enabled. We use the default setup of keeping original bundles in > the bundle folder and the installed version in felix-cache. We are > approaching disk space issues due to having every jar twice and would like > some feedback on what is the best practice here. Is it possible to remove > the original jars after running the application once? Or will the > felix-cache ever be invalidated for some reason (causing the need to have > the originals)? > > If you need further details on the setup/configuration please let me know. > > Best regards > Rasmus Jakobsen > > Med venlig hilsen / Best regards > > *Rasmus Nørby Jakobsen* > *Software Engineer, MSc* > > *R Department * > *Universal Robots A/S* > Energivej 25 > 5260 Odense S > Denmark > > Phone: +45 89 93 89 89 > Cell: +45 28 49 24 95 > > r...@universal-robots.com > www.universal-robots.com > <http://www.linkedin.com/company/universal-robots-a-s> > <https://www.facebook.com/UniversalRobots> > <https://twitter.com/Universal_Robot> > <https://plus.google.com/100123388801849599660/posts> > <http://www.youtube.com/user/UniversalRobotsVideo/videos> > > Please note that this message may contain confidential information. If you > have received this message by mistake, please inform the sender of the > mistake, then delete the message from your system without making, > distributing or retaining any copies of it. Although we believe that the > message and any attachments are free from viruses and other errors that > might affect the computer or IT system where it is received and read, the > recipient opens the message at his or her own risk. We assume no > responsibility for any loss or damage arising from the receipt or use of > this message. > > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Using Felix Framework Security
Hi, Any of the tutorial/slideshare/examples etc. I could find are very old. > there are some examples that should still work here: https://github.com/mcculls/osgi-in-action/tree/master/chapter14/combined-example > Is OSGi security being used currently or is there a new preferred approach? > It is used but not too much. > When attempting to use the felix framework security bundle it is unclear > what happens with the jvm security manager. > It is not unclear if you look at the Spec :-) > From > http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html > it seems that a securitymanager is not necessary. > It is, however, -Dorg.osgi.framework.security="osgi" will set a default security manager automagically (as per the spec). > If the felix bundle is used without setting a security manager > System.getSecurityManager() returns null. Well, yes - if there is no SecurityManager there is no SecurityManager. Again, if the framework is started with -Dorg.osgi.framework.security="osgi" it will set a default one. As a special Felix feature, you can specify your own SecurityManager by either setting it the normal Java way (in which case you have to _not_ specific -Dorg.osgi.framework.security="osgi") or iirc, set -Dorg.osgi.framework.security="<security-manager-classname-in-the-framework-classpath". > Is it intended that the felix bundle needs a security manager set? > The felix.framework.security bundle doesn't need a security manager as such (iirc). However, the framework itself will not instigate permission checks unless there is a SecurityManager set (hence, having the security bundle around is rather pointless in that case). > Any assistance in this area, which seems to be bypassed by many OSGi > developers, would be most appreciated. > Yeah, it is not used that much - I guess part of the problem is a bit of a catch-22 but although, it probably only makes sense if you really need it (as security in Java in general is a bit of a PITA). Probably your best bet on material is the spec itself and the examples/book above. Feel free to ask questions on this list as well - I'll try to answer them... regards, Karl > Regards > Paul Fraser > > > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Is instance based security possible?
Out of the box, no - I don't think this is possible. You might be able to make something work but it would depend a lot on your specific set-up and you'd need to be able to make the instances cooperate somehow (i.e., a generic solution probably is not possible - the only thing you might get to work generically is to make it based on Threads an follow a JAAS like approach but it doesn't sound like this is what you are looking for). regards, Karl On Fri, Feb 5, 2016 at 11:51 AM, Simon <simon-pob...@outlook.com> wrote: > From my understanding OSGi security > > i.e. tow instance of the same class MyClass which is part of bundle > MyBundle > share the same security conditions defined for bundle MyBundle. So if I > have > the following: > > [code] > MyClass a = new MyClass("dirA"); > MyClass b = new MyClass("dirB"); > [/code] > > These two classes will share the same security permission when for example > using this: > > [code] > ALLOW { > [org.osgi.service.condpermadmin.BundleLocationCondition "MyBundle.jar"] > ( java.io.FilePermission "dirA" "read,write" ) > ( java.io.FilePermission "dirB" "read,write" ) > } "MyCheck" > [/code] > > However what if I want to make sure that MyClass instance "A" never access > "dirB" and instance "B" never access "dirA". > > Is there a way how this is possible without actually packaging MyClass in > two different bundles? (obviously using different symbolic names, etc for > each bundle)? > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/Is-instance-based-security-possible-tp5016405.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com
Re: Security Conditions not working on Java 1.8
Yeah, the point is that starting somewhere in java8 sandboxed apps can't get SocketPermission anymore. In your case that bits backwards as you are asking for a DENY. Unfortunately, that might imply that one can not grant SocketPermission anymore either (which would be pretty shitty). Not sure what can be done about it - if you have some time feel free to create a jira issue with your examples and assign it to me (it would be great if you could also test if you can still _grant_ SocketPermission in java8). regards, Karl On Mon, Jan 11, 2016 at 11:31 AM, Simon <simon-pob...@outlook.com> wrote: > Hi Karl, You are right. With another permission it works. > > I created another bundle "p1-evil-fs". The /Activator/ of this bundle lists > all files in current directory. I changed the rule in "security.policy" as > follows: > > / > DENY { > [com.p1.check.MyCheck] > ( java.io.FilePermission "-" "read" ) > } "MyCheck" > / > > (MyCheck changed to also work for the p1-evil-fs) > > For me this worked the same with both java7 and java8. I have attached all > code. > So I guess this is an issue with /SocketPermission/? > > felix-framework-5.zip > < > http://apache-felix.18485.x6.nabble.com/file/n5016171/felix-framework-5.zip > > > p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016171/p1.zip> > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167p5016171.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > ----- > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Security Conditions not working on Java 1.8
Could you try with a different Permission? My guess right now would be that you/we are running into a very special case but for that to be true, I would expect that your setup should work correctly with any other permission... regards, Karl On Fri, Jan 8, 2016 at 4:57 PM, Simon <simon-pob...@outlook.com> wrote: > Hello, I have done my tests on the Java runtimes; "1.7.0_71" and > "1.8.0_25", > and Felix "felix-framework-5.4.0". I have enabled security by adding > "org.apache.felix.framework.security-2.4.0" to the bundle directory. > > I have then created three projects; "p1-check", "p1-policy" and the > offending bundle "p1-evil" (I'll attach all code). My scenario is as > follows; /I do not want p1-evil to connect to the Internet/. However in > p1-evil Activator I placed some code that makes a request to google and > prints the response. > > The p1-check bundle has only one condition; MyCheck.java. The > /isSatisfied()/ method of MyCheck returns /true/ if the bundle symbolic > name > is "com.p1.evil", which is the symbolic name of the p1-evil bundle. > > This is meant to be used with the following security rule (can be found in > security.policy) > > / > DENY { > [com.p1.check.MyCheck] > ( java.net.SocketPermission "*" "connect" ) > } "MyCheck" > / > > (note: I also tried "connect,resolve", still does not work on java 1.8) > > When I execute felix.jar with *java 1.7* I can see the logs from p1-check > and as expected p1-evil does not connect and I get an exception > [java.security.AccessControlException: access denied > ("java.net.SocketPermission" "google.com:80" "connect,resolve")] > > When I execute felix.jar with *java 1.8* I can see the logs from p1-check > however p1-evil activator is still allowed to connect to google. > > I have tried this on two different machines and I got the same results. Am > I > doing something wrong? Or there is something I do not know? > > felix-framework-5.zip > < > http://apache-felix.18485.x6.nabble.com/file/n5016167/felix-framework-5.zip > > > p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/p1.zip> > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > > -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: problem about felix framework 4.2 +jamvm 1.5.4+classpath-0.98
Is there a specific reason you are not using the latest version of Felix? I know we had some problems on jamvm and getting security to work there might be tricky - anyways, it would be worthwhile to test with Felix 4.6.0 if possible. regards, Karl On Wed, Jan 21, 2015 at 9:29 AM, Jerry Wang wangjun...@dare-tech.com wrote: Hi all, I'm a newcomer in felix and java. The recent work is to make osgi work in embedded system. But when setting security mode, I meet problem. I use the command jamvm -Dorg.osgi.framework.security=osgi -Djava.security.policy=all.policy -jar bin/felix.jar:/usr/local/ classpath/lib/classpath:/usr/local/classpath/share/classpath:/lib -Xms4M -Xmx10M -Xss256K org.apache.felix.main.Main , the error log appears. Unable to list saved bundles. (java.lang.SecurityException: java.security.AccessControlException: permission (java.io.FilePermission ./felix-cache read) not granted: no protection domains) java.lang.SecurityException: java.security.AccessControlException: permission (java.io.FilePermission ./felix-cache read) not granted: no protection domains at org.apache.felix.framework.Felix$1.checkPermission(Felix.java:572) at java.lang.SecurityManager.checkRead(SecurityManager.java:569) at java.io.File.checkRead(File.java:1554) at java.io.File.exists(File.java:270) at org.apache.felix.framework.util.SecureAction$Actions.run( SecureAction.java:1206) at java.security.AccessController.doPrivileged( AccessController.java:195) at org.apache.felix.framework.util.SecureAction.fileExists( SecureAction.java:292) at org.apache.felix.framework.cache.BundleCache.getArchives( BundleCache.java:117) at org.apache.felix.framework.Felix.init(Felix.java:667) at org.apache.felix.main.Main.main(Main.java:288) The content in the policy file is grant { permission java.security.AllPermission; };; And I also option -Dpolicy.provider=gnu.java.security.PolicyFile in command, the problem still appeares. I think maybe it can not find the policy file,so use the absolute path -Djava.security.policy=file:///data/osgi/all.policy,but it is useless. Now I can do nothing. Pls give me some advice to make policy file work. -- Thanks Best Regards Jerry Wang Shanghai DareGlobal Technologies Co.,Ltd. Add:2F Block B,Info Tech Building, No.1555,Kongjiang Road,Shanghai,PRC P.C:200092 Tel:86-21-6563 5566 Ext:8603 Fax:86-21-6501 5599 E-mail:wangjun...@dare-tech.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Felix security and Tomcat 7
with security into WebApp that is running under Tomcat? Thanks! -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Comprehension question about ProtectionDomain of a Bundle
Hi Dirk, we are using bouncycastle as jce provider in our application setup based on AEM (Apache Sling) and I got an error during jar verification. (Something with MalformedURLException). Yeah, irrc they do assume that the code source of a protection domain is a valid url which isn't necessarily the case for OSGi bundles (I'd argue they shouldn't but oh well). For my use case I fixed the issue by implementing a URLStreamHandlerService providing a URLConnection to the bundle location but during my work on this I thought about the topic more in general. I guess that it is probably ok to handle the situation like this assuming you can provide the handler. As the comment in BundleProtectionDomain.java:38 says the CodeSource of a BundleProtectionDomain should be based on the revision of the bundle not the bundle itself. (for me the bundle location is jcrinstall:/a/path/to/the/bundle.jar) You should be able to ignore this comment. The BundleProtectionDomain does indeed provide the bundle revision. It just does get the revision in a stupid way - hence, the comment to remind me that I should figure out a better (i.e., less indirect) way to provide the revision to it. Is there any reason why the bundle location is used here and not the file:///file:///\\ URL of the revision located in the cache instead? Well, the idea is that you base your security policies on the code source url. That concept would be pretty much meaningless if the code source would be the cached jar. Regardless, the cache implementation (and its layout) is mostly undefined by the spec - the code source is the Bundle-Location URL (consider, for example, the JarURLConnection of the ire: it will cache the jar file on disc as a JarFile but the url will still be the one of the source for the code source). I mentioned that unfortunatly the JceSecurity implementation has a WeakHashMapClass,URL that holds the URL to the location of the CodeSource. So I assume that it might be possible that the worng CodeSource location can be returned there when the cache points to a old revision location after a bundle update without garbage collection of the old revision. Am I right? No. The Class object is unique based on its class loader so you will get the code source URL that was associated with the bundle revision that this class has been loaded from. As long as they key the map by an actual Class object and get the URL from the code source of the BundleProtectionDomain of that class object you should be good. regards, Karl Kind Regards, Dirk Rudolph T-Systems Multimedia Solutions GmbH Organisationseinheit CCS Dirk Rudolph Software-Entwicklung, OCJP Hausanschrift: Riesaer Straße 5, 01129 Dresden Postanschrift: Postfach 10 02 24, 01072 Dresden +49 351 2820-5363 (Tel) E-Mail: dirk.rudo...@t-systems.commailto:mdirk.rudo...@t-systems-mms.com Internet: http://www.t-systems-mms.comhttp://www.t-systems-mms.de/ T-Systems Multimedia Solutions GmbH Aufsichtsrat: Thilo Kusch (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger, Dr. Rolf Werner Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft: Dresden Ust-IdNr.: DE 811 807 949 -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Comprehension question about ProtectionDomain of a Bundle
In the current Felix setup, though, this URL basically just is an immutable key referring to the abstract Bundle not to the concrete contents of the Bundle. If we expect the CodeSource URL to actually refer to the location from where classes are loaded, then the BundleProtectionDomain should probably take the Content from the BundleRevisionImpl to use as the basis for the CodeSource URL. In this case, though, it is not relevant any longer what the string for the bundle location actually is. The BundleProtectionDomain does the correct thing. The problem is purely that some library assumes it can get the code source of a protection domain and access it. That is wrong and a bad hack at best but nothing we can paper over. Setting the bundle location as the code source is the correct thing to do. If you want to work with that library (or others that do make the same bad assumption) you can use a URLHandlers to make it work with your own namespace and you are good. This would only be a problem if you would reuse bundle locations for bundles that are not identically which you shouldn't do in the first place. regards, Karl WDYT ? Regards Felix Am 29.09.2014 um 11:27 schrieb dirk.rudo...@t-systems.com dirk.rudo...@t-systems.com: Thanks so far for your explanations. So Am I right that each provider that installs bundles in Felix using a custom bundle location (as Sling OSGI installer does) has to provide a URL handler that is able to resolve to the proper jar file? Think about the following cases: - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name but another version using the webconsole, the Bundle-Location will be the same or - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name by removing /apps/path/install/bundle-1.0.0.jar and uploading the new version to /apps/path/install/bundle-1.1.0.jar, the Bundle-Location will also be the same Due to this the I think the location of the CodeSource should always point to the cache jar (the one the actual class is loaded from, think about embedded dependency). Otherwise it would be hard to implement a proper URLStreamHandlerService. For the JarURLConnection: Is the cached file transient? Cheers, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 10:23 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle Hi Dirk, we are using bouncycastle as jce provider in our application setup based on AEM (Apache Sling) and I got an error during jar verification. (Something with MalformedURLException). Yeah, irrc they do assume that the code source of a protection domain is a valid url which isn't necessarily the case for OSGi bundles (I'd argue they shouldn't but oh well). For my use case I fixed the issue by implementing a URLStreamHandlerService providing a URLConnection to the bundle location but during my work on this I thought about the topic more in general. I guess that it is probably ok to handle the situation like this assuming you can provide the handler. As the comment in BundleProtectionDomain.java:38 says the CodeSource of a BundleProtectionDomain should be based on the revision of the bundle not the bundle itself. (for me the bundle location is jcrinstall:/a/path/to/the/bundle.jar) You should be able to ignore this comment. The BundleProtectionDomain does indeed provide the bundle revision. It just does get the revision in a stupid way - hence, the comment to remind me that I should figure out a better (i.e., less indirect) way to provide the revision to it. Is there any reason why the bundle location is used here and not the file:///file:///\\ URL of the revision located in the cache instead? Well, the idea is that you base your security policies on the code source url. That concept would be pretty much meaningless if the code source would be the cached jar. Regardless, the cache implementation (and its layout) is mostly undefined by the spec - the code source is the Bundle-Location URL (consider, for example, the JarURLConnection of the ire: it will cache the jar file on disc as a JarFile but the url will still be the one of the source for the code source). I mentioned that unfortunatly the JceSecurity implementation has a WeakHashMapClass,URL that holds the URL to the location of the CodeSource. So I assume that it might be possible that the worng CodeSource location can be returned there when the cache points to a old revision location after a bundle update without garbage collection of the old revision. Am I right? No. The Class
Re: Comprehension question about ProtectionDomain of a Bundle
On Mon, Sep 29, 2014 at 12:56 PM, dirk.rudo...@t-systems.com wrote: What happens with Bundle-Location: inputstream:bundle-1.0.0.jar. Is a URLHandler available for this? No. So in this case JCE implemtation of OpenJDK will not be supported by Apache Felix (OSGI in general?) out of the box? If you choose to give a bundle location that doesn't work than yes, you have a problem there. I suppose we could re-work the FakeURLStreamhandler to actually serve up the content of the revision. So if the OpenJDK JCE implementation would at least do the right thing with the code source url it might work but I wouldn't be surprised if they don't (URLs and how to handle them are a mess in java). regards, Karl Regards, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 12:47 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle In the current Felix setup, though, this URL basically just is an immutable key referring to the abstract Bundle not to the concrete contents of the Bundle. If we expect the CodeSource URL to actually refer to the location from where classes are loaded, then the BundleProtectionDomain should probably take the Content from the BundleRevisionImpl to use as the basis for the CodeSource URL. In this case, though, it is not relevant any longer what the string for the bundle location actually is. The BundleProtectionDomain does the correct thing. The problem is purely that some library assumes it can get the code source of a protection domain and access it. That is wrong and a bad hack at best but nothing we can paper over. Setting the bundle location as the code source is the correct thing to do. If you want to work with that library (or others that do make the same bad assumption) you can use a URLHandlers to make it work with your own namespace and you are good. This would only be a problem if you would reuse bundle locations for bundles that are not identically which you shouldn't do in the first place. regards, Karl WDYT ? Regards Felix Am 29.09.2014 um 11:27 schrieb dirk.rudo...@t-systems.com dirk.rudo...@t-systems.com: Thanks so far for your explanations. So Am I right that each provider that installs bundles in Felix using a custom bundle location (as Sling OSGI installer does) has to provide a URL handler that is able to resolve to the proper jar file? Think about the following cases: - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name but another version using the webconsole, the Bundle-Location will be the same or - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name by removing /apps/path/install/bundle-1.0.0.jar and uploading the new version to /apps/path/install/bundle-1.1.0.jar, the Bundle-Location will also be the same Due to this the I think the location of the CodeSource should always point to the cache jar (the one the actual class is loaded from, think about embedded dependency). Otherwise it would be hard to implement a proper URLStreamHandlerService. For the JarURLConnection: Is the cached file transient? Cheers, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 10:23 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle Hi Dirk, we are using bouncycastle as jce provider in our application setup based on AEM (Apache Sling) and I got an error during jar verification. (Something with MalformedURLException). Yeah, irrc they do assume that the code source of a protection domain is a valid url which isn't necessarily the case for OSGi bundles (I'd argue they shouldn't but oh well). For my use case I fixed the issue by implementing a URLStreamHandlerService providing a URLConnection to the bundle location but during my work on this I thought about the topic more in general. I guess that it is probably ok to handle the situation like this assuming you can provide the handler. As the comment in BundleProtectionDomain.java:38 says the CodeSource of a BundleProtectionDomain should be based on the revision of the bundle not the bundle itself. (for me the bundle location is jcrinstall:/a/path/to/the/bundle.jar) You should be able to ignore this comment. The BundleProtectionDomain does indeed provide the bundle revision. It just does get the revision in a stupid way - hence, the comment to remind me that I should figure out a better (i.e., less
Re: Comprehension question about ProtectionDomain of a Bundle
On Mon, Sep 29, 2014 at 1:34 PM, Felix Meschberger fmesc...@adobe.com wrote: Hi Am 29.09.2014 um 13:13 schrieb Karl Pauls karlpa...@gmail.com: On Mon, Sep 29, 2014 at 12:56 PM, dirk.rudo...@t-systems.com wrote: What happens with Bundle-Location: inputstream:bundle-1.0.0.jar. Is a URLHandler available for this? No. So in this case JCE implemtation of OpenJDK will not be supported by Apache Felix (OSGI in general?) out of the box? If you choose to give a bundle location that doesn't work than yes, you have a problem there. I suppose we could re-work the FakeURLStreamhandler to actually serve up the content of the revision. So if the OpenJDK JCE implementation would at least do the right thing with the code source url it might work I have the impression, that this might work, indeed. The only way it might work (again, this is hacking a hack so ymmv) is to override the JarUrl subsystem (and it will probably involve creating copies of stuff all over the place to make it work with the reference: protocol - which i wouldn't do initially). I can do it (please open a jira issue and assign it to me if you want that) but keep in mind that it will be a very brittle solution to the problem as it depends on the using library to do the right thing in regards to URLs (which mostly will not happen) - but it should work for the OpenJdk impl. regards, Karl but I wouldn't be surprised if they don't (URLs and how to handle them are a mess in java). +100 Regards Felix regards, Karl Regards, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 12:47 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle In the current Felix setup, though, this URL basically just is an immutable key referring to the abstract Bundle not to the concrete contents of the Bundle. If we expect the CodeSource URL to actually refer to the location from where classes are loaded, then the BundleProtectionDomain should probably take the Content from the BundleRevisionImpl to use as the basis for the CodeSource URL. In this case, though, it is not relevant any longer what the string for the bundle location actually is. The BundleProtectionDomain does the correct thing. The problem is purely that some library assumes it can get the code source of a protection domain and access it. That is wrong and a bad hack at best but nothing we can paper over. Setting the bundle location as the code source is the correct thing to do. If you want to work with that library (or others that do make the same bad assumption) you can use a URLHandlers to make it work with your own namespace and you are good. This would only be a problem if you would reuse bundle locations for bundles that are not identically which you shouldn't do in the first place. regards, Karl WDYT ? Regards Felix Am 29.09.2014 um 11:27 schrieb dirk.rudo...@t-systems.com dirk.rudo...@t-systems.com: Thanks so far for your explanations. So Am I right that each provider that installs bundles in Felix using a custom bundle location (as Sling OSGI installer does) has to provide a URL handler that is able to resolve to the proper jar file? Think about the following cases: - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name but another version using the webconsole, the Bundle-Location will be the same or - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name by removing /apps/path/install/bundle-1.0.0.jar and uploading the new version to /apps/path/install/bundle-1.1.0.jar, the Bundle-Location will also be the same Due to this the I think the location of the CodeSource should always point to the cache jar (the one the actual class is loaded from, think about embedded dependency). Otherwise it would be hard to implement a proper URLStreamHandlerService. For the JarURLConnection: Is the cached file transient? Cheers, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 10:23 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle Hi Dirk, we are using bouncycastle as jce provider in our application setup based on AEM (Apache Sling) and I got an error during jar verification. (Something with MalformedURLException). Yeah, irrc they do assume that the code source of a protection domain is a valid url which isn't necessarily the case for OSGi bundles (I'd argue they shouldn't but oh well
Re: Comprehension question about ProtectionDomain of a Bundle
I assigned it to me. I'll try to get back to it soon. regards, Karl On Mon, Sep 29, 2014 at 2:23 PM, dirk.rudo...@t-systems.com wrote: I created an issues: FELIX-4658. I hope the description and title are ok :) Unfortunately I'm not allowed to assign it to you but I am very interested in your solution. Thanks so far, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 14:00 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle On Mon, Sep 29, 2014 at 1:34 PM, Felix Meschberger fmesc...@adobe.com wrote: Hi Am 29.09.2014 um 13:13 schrieb Karl Pauls karlpa...@gmail.com: On Mon, Sep 29, 2014 at 12:56 PM, dirk.rudo...@t-systems.com wrote: What happens with Bundle-Location: inputstream:bundle-1.0.0.jar. Is a URLHandler available for this? No. So in this case JCE implemtation of OpenJDK will not be supported by Apache Felix (OSGI in general?) out of the box? If you choose to give a bundle location that doesn't work than yes, you have a problem there. I suppose we could re-work the FakeURLStreamhandler to actually serve up the content of the revision. So if the OpenJDK JCE implementation would at least do the right thing with the code source url it might work I have the impression, that this might work, indeed. The only way it might work (again, this is hacking a hack so ymmv) is to override the JarUrl subsystem (and it will probably involve creating copies of stuff all over the place to make it work with the reference: protocol - which i wouldn't do initially). I can do it (please open a jira issue and assign it to me if you want that) but keep in mind that it will be a very brittle solution to the problem as it depends on the using library to do the right thing in regards to URLs (which mostly will not happen) - but it should work for the OpenJdk impl. regards, Karl but I wouldn't be surprised if they don't (URLs and how to handle them are a mess in java). +100 Regards Felix regards, Karl Regards, Dirk -Ursprüngliche Nachricht- Von: Karl Pauls [mailto:karlpa...@gmail.com] Gesendet: Montag, 29. September 2014 12:47 An: users@felix.apache.org Betreff: Re: Comprehension question about ProtectionDomain of a Bundle In the current Felix setup, though, this URL basically just is an immutable key referring to the abstract Bundle not to the concrete contents of the Bundle. If we expect the CodeSource URL to actually refer to the location from where classes are loaded, then the BundleProtectionDomain should probably take the Content from the BundleRevisionImpl to use as the basis for the CodeSource URL. In this case, though, it is not relevant any longer what the string for the bundle location actually is. The BundleProtectionDomain does the correct thing. The problem is purely that some library assumes it can get the code source of a protection domain and access it. That is wrong and a bad hack at best but nothing we can paper over. Setting the bundle location as the code source is the correct thing to do. If you want to work with that library (or others that do make the same bad assumption) you can use a URLHandlers to make it work with your own namespace and you are good. This would only be a problem if you would reuse bundle locations for bundles that are not identically which you shouldn't do in the first place. regards, Karl WDYT ? Regards Felix Am 29.09.2014 um 11:27 schrieb dirk.rudo...@t-systems.com dirk.rudo...@t-systems.com: Thanks so far for your explanations. So Am I right that each provider that installs bundles in Felix using a custom bundle location (as Sling OSGI installer does) has to provide a URL handler that is able to resolve to the proper jar file? Think about the following cases: - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name but another version using the webconsole, the Bundle-Location will be the same or - Install a bundle using OSGI installer, the Bundle-Location will be jcrinstall:/apps/path/install/bundle-1.0.0.jar for example - Update the bundle with the same symbolic name by removing /apps/path/install/bundle-1.0.0.jar and uploading the new version to /apps/path/install/bundle-1.1.0.jar, the Bundle-Location will also be the same Due to this the I think the location of the CodeSource should always point to the cache jar (the one the actual class is loaded from, think about embedded dependency). Otherwise it would be hard to implement a proper
Re: IPojo performance benchmark
I believe the code is here (haven't looked at it myself): https://github.com/sandermak/osgi-dm-shootout regards, Karl On Fri, Jun 20, 2014 at 7:43 PM, Clement Escoffier clement.escoff...@gmail.com wrote: Hi, First, I just discovered the slides. About the performance benches, I don’t know them, but for sure in the recent versions we didn’t really focus on performances (except if the overhead with really big). The service registration overhead is definitely weird, I will have a look on it. Anyway, so far I’ve applications running from 500 to 5000 services in different context (IoT, Web Applications…). In these case, iPOJO performs pretty well, and its cost is meaningless in comparison of the other costs (network, file system…). Regards, Clement On 20 juin 2014 at 17:41:52, sylvain.ha...@miranda.com ( sylvain.ha...@miranda.com) wrote: Hi Recently I read this article regarding various Dependency manager performance. http://www.slideshare.net/SanderMak/the-ultimate-dependency-manager-shootout-qcon-ny-2014 We are now asking ourself what is the real IPojo performance in the field ( actual real enterprise application with thousands of services). Thanks Sylvain Hamel | Software Designer/Concepteur de logiciels Grass Valley, A Belden Brand | Tel:(514) 333-1772 Ext: 3146 3499 Douglas-B.-Floreani, Montreal, Quebec Canada H4S 2C6 Please note our new company name! www.new.grassvalley.com DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You. -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Unknown Protocol Exception for Embedded Felix Container.
Can you give me a bit more details about your concrete scenario (i.e., what jvm are you using and what handlers are we talking about, from whom, and where from, etc.)? regards, Karl On Sun, Jun 15, 2014 at 9:42 PM, nigamrashi rashi.ni...@oracle.com wrote: Hi Karl, If we don't set it to false then the Felix URL handler is not able to delegate to our other protocols that we support and get the malformed URL exception. Is there a way I can add to just route the bundle protocol to Felix and rest to be handled by WLS handler? Regards, Rashi On 6/14/14 5:32 AM, Karl Pauls [via Apache Felix] wrote: Why are you setting the url handlers to false - it should delegate to the original handler by default no? regards, Karl On Sat, Jun 14, 2014 at 12:58 AM, nigamrashi [hidden email] /user/SendEmail.jtp?type=nodenode=5008574i=0 wrote: Hi, I am starting Felix in embedded mode from within WebLogic server. I have to set the felix.service.urlhandlers=false as we want WebLogic URL handlers to take care of specific protocols. I am getting unknown protocol: bundle exception. Is this a known issue and is there a way I can resolve this exception? I am getting following exception:tion: javax.faces.FacesException: java.net.MalformedURLException: unknown protocol: bundle at com.sun.faces.config.ConfigManager.getConfigDocuments(ConfigManager.java:661) at com.sun.faces.config.ConfigManager.initialize(ConfigManager.java:323) at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:216) at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:678) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java Thanks, Rashi -- View this message in context: http://apache-felix.18485.x6.nabble.com/Unknown-Protocol-Exception-for-Embedded-Felix-Container-tp5008569.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: [hidden email] /user/SendEmail.jtp?type=nodenode=5008574i=1 For additional commands, e-mail: [hidden email] /user/SendEmail.jtp?type=nodenode=5008574i=2 -- Karl Pauls [hidden email] /user/SendEmail.jtp?type=nodenode=5008574i=3 http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls If you reply to this email, your message will be added to the discussion below: http://apache-felix.18485.x6.nabble.com/Unknown-Protocol-Exception-for-Embedded-Felix-Container-tp5008569p5008574.html To unsubscribe from Unknown Protocol Exception for Embedded Felix Container., click here http://apache-felix.18485.x6.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=5008569code=cmFzaGkubmlnYW1Ab3JhY2xlLmNvbXw1MDA4NTY5fC0xODg1MzY3ODc4 . NAML http://apache-felix.18485.x6.nabble.com/template/NamlServlet.jtp?macro=macro_viewerid=instant_html%21nabble%3Aemail.namlbase=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespacebreadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml -- View this message in context: http://apache-felix.18485.x6.nabble.com/Unknown-Protocol-Exception-for-Embedded-Felix-Container-tp5008569p5008583.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Unknown Protocol Exception for Embedded Felix Container.
Why are you setting the url handlers to false - it should delegate to the original handler by default no? regards, Karl On Sat, Jun 14, 2014 at 12:58 AM, nigamrashi rashi.ni...@oracle.com wrote: Hi, I am starting Felix in embedded mode from within WebLogic server. I have to set the felix.service.urlhandlers=false as we want WebLogic URL handlers to take care of specific protocols. I am getting unknown protocol: bundle exception. Is this a known issue and is there a way I can resolve this exception? I am getting following exception:tion: javax.faces.FacesException: java.net.MalformedURLException: unknown protocol: bundle at com.sun.faces.config.ConfigManager.getConfigDocuments(ConfigManager.java:661) at com.sun.faces.config.ConfigManager.initialize(ConfigManager.java:323) at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:216) at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:678) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java Thanks, Rashi -- View this message in context: http://apache-felix.18485.x6.nabble.com/Unknown-Protocol-Exception-for-Embedded-Felix-Container-tp5008569.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Deadlock in URLHandlers when Felix.init and Felix.stop are called concurrently
Are you using the latest felix version? regards, Karl On Mon, May 26, 2014 at 2:44 PM, Benjamin Rogge felix-o...@benjamin-rogge.de wrote: Hello, from time to time we are experiencing a deadlock in the URLHandlers Class in Apache Felix. We are using Felix as an embedded OSGi Container and instantiate the Felix Framework via ServiceLoader and Framework Factory ourselves. The situation is as follows: When Felix.stop and Felix.init are called by different threads, eventually URLHandlers. unregisterFrameworkListsForContextSearch and URLHandlers.registerFrameworkInstance are called by the threads. There are two locks: m_frameworks and the Class Object of URL (URL.class). registerFrameworkInstance tries to aquire m_frameworks first and via the constructor of URLHanders URL.class after that. unregisterFrameworkListsForContextSearch tries to aquire URL.class first and m_frameworks after that. This is a classic deadlock situation. The situation arises in unittests where we frequently start and stop the felix framework. My questions are: Is it valid to call Felix.init after Felix.stop without waiting if the framework actually stopped (since stop is asyncronous)? Or do we have to wait between Felix.init and Felix.stop? Or would you consider this a bug? Cheers and thanks for your support, Benjamin Rogge P.S.: Here is a listing of the stacktraces: Found one Java-level deadlock: = FelixShutdown: waiting to lock monitor 0x00ff7710 (object 0x0007ff33e7f0, a java.util.ArrayList), which is held by main main: waiting to lock monitor 0x022c4a08 (object 0x000783b06b18, a java.lang.Class), which is held by FelixShutdown Java stack information for the threads listed above: === FelixShutdown: at org.apache.felix.framework.URLHandlers. unregisterFrameworkListsForContextSearch(URLHandlers.java:315) - waiting to lock 0x0007ff33e7f0 (a java.util.ArrayList) - locked 0x0007ff33e840 (a java.util.HashMap) - locked 0x000783b06b18 (a java.lang.Class for java.net.URL) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.felix.framework.util.SecureAction.invoke( SecureAction.java:840) at org.apache.felix.framework.URLHandlers. unregisterFrameworkInstance(URLHandlers.java:635) at org.apache.felix.framework.URLHandlersActivator.stop( URLHandlersActivator.java:76) at org.apache.felix.framework.util.SecureAction. stopActivator(SecureAction.java:667) at org.apache.felix.framework.Felix$SystemBundleActivator. stop(Felix.java:4715) at org.apache.felix.framework.util.SecureAction. stopActivator(SecureAction.java:667) at org.apache.felix.framework.Felix.stopBundle(Felix.java:2530) at org.apache.felix.framework.Felix$2.run(Felix.java:959) at java.lang.Thread.run(Thread.java:724) main: at org.apache.felix.framework.URLHandlers.init( URLHandlers.java:150) - waiting to lock 0x000783b06b18 (a java.lang.Class for java.net.URL) at org.apache.felix.framework.URLHandlers. registerFrameworkInstance(URLHandlers.java:600) - locked 0x0007ff33e7f0 (a java.util.ArrayList) at org.apache.felix.framework.URLHandlersActivator.start( URLHandlersActivator.java:71) at org.apache.felix.framework.util.SecureAction. startActivator(SecureAction.java:645) at org.apache.felix.framework.Felix$SystemBundleActivator. start(Felix.java:4634) at org.apache.felix.framework.util.SecureAction. startActivator(SecureAction.java:645) at org.apache.felix.framework.Felix.init(Felix.java:783) // ... Application specific trace - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Deadlock in URLHandlers when Felix.init and Felix.stop are called concurrently
I take it back - it seems to be a bug. Can you create a jira issue for it? regards, Karl On Mon, May 26, 2014 at 2:57 PM, Karl Pauls karlpa...@gmail.com wrote: Are you using the latest felix version? regards, Karl On Mon, May 26, 2014 at 2:44 PM, Benjamin Rogge felix-o...@benjamin-rogge.de wrote: Hello, from time to time we are experiencing a deadlock in the URLHandlers Class in Apache Felix. We are using Felix as an embedded OSGi Container and instantiate the Felix Framework via ServiceLoader and Framework Factory ourselves. The situation is as follows: When Felix.stop and Felix.init are called by different threads, eventually URLHandlers. unregisterFrameworkListsForContextSearch and URLHandlers.registerFrameworkInstance are called by the threads. There are two locks: m_frameworks and the Class Object of URL (URL.class). registerFrameworkInstance tries to aquire m_frameworks first and via the constructor of URLHanders URL.class after that. unregisterFrameworkListsForContextSearch tries to aquire URL.class first and m_frameworks after that. This is a classic deadlock situation. The situation arises in unittests where we frequently start and stop the felix framework. My questions are: Is it valid to call Felix.init after Felix.stop without waiting if the framework actually stopped (since stop is asyncronous)? Or do we have to wait between Felix.init and Felix.stop? Or would you consider this a bug? Cheers and thanks for your support, Benjamin Rogge P.S.: Here is a listing of the stacktraces: Found one Java-level deadlock: = FelixShutdown: waiting to lock monitor 0x00ff7710 (object 0x0007ff33e7f0, a java.util.ArrayList), which is held by main main: waiting to lock monitor 0x022c4a08 (object 0x000783b06b18, a java.lang.Class), which is held by FelixShutdown Java stack information for the threads listed above: === FelixShutdown: at org.apache.felix.framework.URLHandlers. unregisterFrameworkListsForContextSearch(URLHandlers.java:315) - waiting to lock 0x0007ff33e7f0 (a java.util.ArrayList) - locked 0x0007ff33e840 (a java.util.HashMap) - locked 0x000783b06b18 (a java.lang.Class for java.net.URL) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.felix.framework.util.SecureAction.invoke( SecureAction.java:840) at org.apache.felix.framework.URLHandlers. unregisterFrameworkInstance(URLHandlers.java:635) at org.apache.felix.framework.URLHandlersActivator.stop( URLHandlersActivator.java:76) at org.apache.felix.framework.util.SecureAction. stopActivator(SecureAction.java:667) at org.apache.felix.framework.Felix$SystemBundleActivator. stop(Felix.java:4715) at org.apache.felix.framework.util.SecureAction. stopActivator(SecureAction.java:667) at org.apache.felix.framework.Felix.stopBundle(Felix.java:2530) at org.apache.felix.framework.Felix$2.run(Felix.java:959) at java.lang.Thread.run(Thread.java:724) main: at org.apache.felix.framework.URLHandlers.init( URLHandlers.java:150) - waiting to lock 0x000783b06b18 (a java.lang.Class for java.net.URL) at org.apache.felix.framework.URLHandlers. registerFrameworkInstance(URLHandlers.java:600) - locked 0x0007ff33e7f0 (a java.util.ArrayList) at org.apache.felix.framework.URLHandlersActivator.start( URLHandlersActivator.java:71) at org.apache.felix.framework.util.SecureAction. startActivator(SecureAction.java:645) at org.apache.felix.framework.Felix$SystemBundleActivator. start(Felix.java:4634) at org.apache.felix.framework.util.SecureAction. startActivator(SecureAction.java:645) at org.apache.felix.framework.Felix.init(Felix.java:783) // ... Application specific trace - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problems with ConditionalPermissionAdmin
I don't think there is a way to make this a relative path. Basically, relative paths are relative to the current user.dir which is set to the dir the user is in when invoking the jvm. You might be able to create your own permission that gets this done, however. It would need to imply file permission but derive relative path from the felix.jar location which it should be able to figure out. regards, Karl On Thu, Apr 3, 2014 at 3:40 PM, felixandre andrea.carli...@gmail.comwrote: Thanks Karl! I report here last attempts with results: *ATTEMPT 1:* /ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition *; O=OTHER] ( java.io.FilePermission readableFolder\- read) } Allow bundles signed by OTHER to read file in readableFolder DENY { [org.osgi.service.condpermadmin.BundleSignerCondition *; O=OTHER] ( java.io.FilePermission - *) } Deny bundles signed by OTHER to read and write files everywhere else ALLOW { ( java.security.AllPermission * *) } But give all other not denied permissions to all bundles / with this, the bundle signed by OTHER can read and write all files under Felix folder tree *ATTEMPT 2:* /ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition *; O=OTHER] ( java.io.FilePermission readableFolder\- read) }Allow bundles signed by OTHER to read file in readableFolder DENY { [org.osgi.service.condpermadmin.BundleSignerCondition *; O=OTHER] ( java.io.FilePermission - write) } Deny bundles signed by OTHER to read and write files everywhere else ALLOW { ( java.security.AllPermission * *) } But give all other not denied permissions to all bundles / with this, the bundle signed by OTHER cannot write all files under Felix folder tree, but can read every file. But if within the DENY condition I use read,write instead of only wrte then the bundle cannot read even in the allowed folder (first ALLOW condition). I think the problem here is the syntax of the first parameter of the java.io.FilePermission condition. What is the correct way to write it? Is it possible to use a path relative to the felix execution folder? Is there a way to write it which is compatible with both Windows and Linux folder? (I'm now working in Windows but I'll have to use the same framework under linux too). Thanks, Andrea -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007961.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problems with ConditionalPermissionAdmin
Well you second policy has to fail because '/opt*' is not what you think it is. It would need to be '/opt/-' to achieve what you have in mind i think. Not sure why the BundleSignerCondition doesn't work. Are you sure the dn is matching the certificate (probably the easiest way to figure that out is to try with a single ALLOW rule first that gives AllPermission to bundles with that dn only)? regards, Karl On Fri, Apr 4, 2014 at 2:57 PM, felixandre andrea.carli...@gmail.comwrote: Well, let's say this is a step further then, since the standard java.io.FilePermission is not working for me even in linux with absolute path. This is the command to launch the felix framework: java -Djava.security.policy=all.policy -Dorg.osgi.framework.security=osgi -Dosgi.signedcontent.support=trust -Dfelix.keystore=file:/opt/felix/keystore.jks -Dfelix.keystore.pass=pswd -Dfelix.keystore.type=jks -jar ./bin/felix.jar With this policy file: /DENY { ( java.io.FilePermission /opt/miv/conf/sampleRead.txt read,write) } Deny bundles signed by OTHER to read and write sampleRead.txt file ALLOW { ( java.security.AllPermission * *) } But give all other not denied permissions to all bundles / the policies are applied: no one can read and write the file /opt/miv/conf/sampleRead.txt. But as soon as I try to insert a BundleSignerCondition: /DENY { [org.osgi.service.condpermadmin.BundleSignerCondition CN=xxx, OU=xxx, O=OTHER, L=xxx, ST=xxx, C=xx] ( java.io.FilePermission /opt/miv/conf/sampleRead.txt read,write) } Deny bundles signed by OTHER to read and write sampleRead.txt file ALLOW { ( java.security.AllPermission * *) } But give all other not denied permissions to all bundles / or to generalize the file permission to a parent folder: /DENY { ( java.io.FilePermission /opt* read,write) } Deny bundles signed by OTHER to read and write sampleRead.txt file ALLOW { ( java.security.AllPermission * *) } But give all other not denied permissions to all bundles / no policies are applied at all and everyone is allowed to read and write every file! What I'm I doing wrong here!? in the keystore.jks there are only the certificates of ME and OTHER... The bundles I'm testing are correctly signed (checked with jarsigner). No idea how to solve this... -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007967.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problems with ConditionalPermissionAdmin
In regard to 1) you could consider bundling the two together (see an example of this here: http://svn.apache.org/repos/asf/felix/sandbox/rickhall/ct-launcher/) In regard to 2) you'd have to first give me a bit more details: are you saying your bundles can not r/w any file or that they _can_ r/w files they shouldn't? Furthermore, did you test that permission assignment based on your OTHER certificate is working at all like this (i.e., with a simple bundle and a simple permission)? It's sometimes not that easy to get a correct filter for the dn... regards, Karl On Thu, Apr 3, 2014 at 12:28 PM, Andrea Carlino andrea.carli...@gmail.comwrote: Dear all, I'm designing a system based on Felix, which should allow certain operation only to certain bundles. I followed basic and clear scheme from: https://code.google.com/p/osgi -in-action/source/browse/trunk/chapter14/#chapter14%2Fcombined-example%2Forg.foo.policy I have a philosophical and a technical question: 1. Philosophical: The ConditionalPermissionAdmin is operating only if the custom bundle committing the ConditionalPermissionInfo is up and running. If for any reason this is not correctly starting the ConditionalPermission are not considered at all. Is this really a safe way to implement security? Are there other ways to enforce this mechanism? (I've seen some documentation and tutorials on OSGi security implementation in Felix, but everything seems partial, fragmentary and not up-to-date...If you have some good resources please share them) 2. Technical:I have bundles signed by ME, which should be allowed to write and read files everywhere within the Felix folders tree and some other bundles signed by OTHERS which should be allowed only to read from subfolder ./readableFolder. Every other system bundle which is not I think I tried every possibility but nothing is working...I need help for this... Below my security.policy file that I expected to work, according to what I understood so far (reference from project linked before, modified with indications from OSGi rev5. specifications and http://www.knopflerfish.org/releases/3.2/docs/osgi_with_security.html#easyto adapt to Windows Environment) ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition *; O=OTHER] ( java.io.FilePermission file:.\\readableFolder\\\* read) } Allow bundles signed by OTHER to read every file in readableFolder DENY { [org.osgi.service.condpermadmin.BundleSignerCondition *; O=OTHER] ( java.io.FilePermission * *) } Deny bundles signed by OTHER to read and write file everywhere else ALLOW { ( java.security.AllPermission * *) } Give all other not denied permissions to all bundles In the end, what is the logic more restrictive conditions first, right? I've already spent a lot of time on this without success...any help or hint is highly appreciated (and needed :-) )! Thanks, Andrea -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with compiling Felix 3.1.1
Try to disable the tests with -Dmaven.test.skip=true On Fri, Feb 14, 2014 at 4:53 PM, Elros crivell...@gmail.com wrote: Thanks for your suggestions. I'm sorry for the mistake. I meant version 4.2.1. I changed the pom.xml anyway but i get the same error: [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 11.849s [INFO] Finished at: Fri Feb 14 16:40:13 CET 2014 [INFO] Final Memory: 49M/300M [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:testCompile (default-testCompile) on project org.apache.felix.framework: Compilation failure: Compilation failure: [ERROR] /Users/Nino/isti/workspace/felix/framework/src/test/java/org/apache/felix/framework/CollisionHookTest.java:[84,24] error: no suitable constructor found for BundleImpl(Felix,BundleImpl,BundleArchive) [ERROR] constructor BundleImpl.BundleImpl(Felix,BundleArchive) is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] constructor BundleImpl.BundleImpl() is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] /Users/Nino/isti/workspace/felix/framework/src/test/java/org/apache/felix/framework/CollisionHookTest.java:[147,24] error: no suitable constructor found for BundleImpl(Felix,null,BundleArchive) [ERROR] constructor BundleImpl.BundleImpl(Felix,BundleArchive) is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] constructor BundleImpl.BundleImpl() is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] /Users/Nino/isti/workspace/felix/framework/src/test/java/org/apache/felix/framework/CollisionHookTest.java:[205,12] error: no suitable constructor found for BundleImpl(Felix,null,BundleArchive) [ERROR] constructor BundleImpl.BundleImpl(Felix,BundleArchive) is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] constructor BundleImpl.BundleImpl() is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] /Users/Nino/isti/workspace/felix/framework/src/test/java/org/apache/felix/framework/CollisionHookTest.java:[246,24] error: no suitable constructor found for BundleImpl(Felix,null,BundleArchive) [ERROR] constructor BundleImpl.BundleImpl(Felix,BundleArchive) is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] constructor BundleImpl.BundleImpl() is not applicable [ERROR] (actual and formal argument lists differ in length) [ERROR] /Users/Nino/isti/workspace/felix/framework/src/test/java/org/apache/felix/framework/CollisionHookTest.java:[279,12] error: no suitable constructor found for BundleImpl(Felix,null,BundleArchive) [ERROR] - [Help 1] [ERROR] I tried to compile the sub-project http and got the same result. So i tried to change the function of /felix/http/base/src/main/java/org/apache/felix/http/base/internal/handler/HttpServicePlugin.java by: public void register() { Properties props = new Properties(); props.put(Constants.SERVICE_VENDOR, Apache Software Foundation); props.put(Constants.SERVICE_DESCRIPTION, HTTP Service Web Console Plugin); ... } into: public void register() { java.util.HashtableString,Object props = new java.util.HashtableString,Object(); props.put(Constants.SERVICE_VENDOR, Apache Software Foundation); props.put(Constants.SERVICE_DESCRIPTION, HTTP Service Web Console Plugin); ... } and it works! I got another failure with JettyService.java and i tried to solve the problem in the same way. Perhaps the string should be changed in every file. Best, Nino -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problem-with-compiling-Felix-3-1-1-tp5007226p5007232.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with compiling Felix 3.1.1
Well, that isn't the framework but some other project. Not sure what is going wrong there... regards, Karl On Fri, Feb 14, 2014 at 5:52 PM, A. Crivello crivell...@gmail.com wrote: Ok, but still doesn't work. with mvn install -Dmaven.test.skip=true i got [INFO] [INFO] BUILD SUCCESS [INFO] but with mvn -Dpackaging=bundle -Dmaven.test.skip=true install i got [INFO] BUILD FAILURE [INFO] [INFO] Total time: 28.483s [INFO] Finished at: Fri Feb 14 17:51:53 CET 2014 [INFO] Final Memory: 78M/323M [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:compile (default-compile) on project org.apache.felix.http.cometd: Compilation failure [ERROR] /Users/Nino/isti/workspace/felix/http/cometd/src/main/java/org/apache/felix/http/cometd/internal/CometdServiceImpl.java:[63,44] error: no suitable method found for registerService(String,CometdServiceImpl,Properties) [ERROR] - [Help 1] Karl Pauls wrote Try to disable the tests with -Dmaven.test.skip=true -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problem-with-compiling-Felix-3-1-1-tp5007226p5007234.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with felix://extensions?
Unfortunately, there isn't an easy way (we probably should provide a way to disable this). Basically, in your situation you could try either of the following: a) build felix yourself and rip out this code: try { (new URL(http://felix.extensions:9/;)).openConnection(); } catch (Throwable t) { // This doesn't matter much - we only need the above to init the url subsystem } in src/main/java/org/apache/felix/framework/ExtensionManager.java b) provide your own name service provider that can handle the name for you (which probably is to much work but possible iirc - ping me again if you need more info on this). regards, Karl On Thu, Jan 30, 2014 at 2:50 PM, Daniel McGreal dan...@redbite.com wrote: Hi there, Some bug in my deployment environment causes web requests for non-resolveable DNS requests to take a prohibitively long time to time-out. For some reason, Felix makes a bunch of these requests at startup asking for felix.extensions, a request which is obviously doomed to fail. Does anyone know how these requests can be prevented? I do not have any control over the deployment environment to fix the timeout of DNS requests. Best, Dan. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with Felix security and bundle policies
what happens if you have the following in security.policy: ALLOW { ( java.security.AllPermission * *) } Give all permissions to all bundles if that doesn't work you have to give me more information about your setup. regards, Karl On Thu, Jan 23, 2014 at 10:17 AM, felixandre andrea.carli...@gmail.comwrote: Thanks for your reply! I have exactly the same code and if I simply use this with an empty /security.policy/ file I cannot even interact with the console like, for example, executing the /lb/ command. And of course I cannot even install any other bundle... Is this not related to the policy for the system bundles like the Gogo Shell, Gogo Command, Gogo Runtime and Bundle Repository??? I think the problem is that either I'm making some mistakes writing the /security.policy/ file, or the policy file is not correctly interpreted. I don't know where to go from here...are the policies I wrote in the first post correct? -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problem-with-Felix-security-and-bundle-policies-tp5006903p5006939.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with Felix security and bundle policies
This depends on the ordering of your rules i.e., the ALLOW must be _before_ the DENY if both match a given bundle. regards, Karl On Thu, Jan 23, 2014 at 11:05 AM, felixandre andrea.carli...@gmail.comwrote: I had tried that and every bundle is (correctly) allowed to do everything; the problem is when starting to restrict policies... Anyway, I've just managed to make a further step; even if I'm almost sure I ha dalready tried this way, now something is working as expected... With DENY { [org.osgi.service.condpermadmin.BundleLocationCondition file:.\\bundle\\plugins*] ( java.io.FilePermission * write) } We deny bundles to write file otherwise ALLOW { ( java.security.AllPermission * *) } But give all other not denied permissions to all bundles/ I'm able to DENY file access permission to the bundles in .\bundle\plugins folder. In order to distinguish between signed and not signed bundle in that folder I added a BundleSignerCondition *after* the DENY condition like this: /ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition CN=logboxIP, O=CRF, OU=ITS, L=Trento C=IT] ( java.io.FilePermission * read, write) } We allow signed bundles to write file but this is not overriding the DENY condition for the whole .\bundle\plugins folder... How could be this accomplished? -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problem-with-Felix-security-and-bundle-policies-tp5006903p5006948.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with Felix security and bundle policies
i.e.: keytool -list -keystore certificates.ks -storepass foobar third-party-cert, 08.01.2010, trustedCertEntry, fingerprint (MD5): notice the trustedCertEntry. Furthermore, in the example you gave your last attribute in the DN chain is missing a comma before it (not sure that this is what you really used but just saying): CN=logboxIP, O=CRF, OU=ITS, L=Trento C=IT CN=xxx, O=xxx, OU=xxx, L=x C=xx there clearly seems to be a missing comma before the C=IT/C=xx regards, Karl On Thu, Jan 23, 2014 at 1:49 PM, Karl Pauls karlpa...@gmail.com wrote: Its very hard to say - if you can make a simple example available to me I can have a look. Otherwise, if there are no other exceptions/print-outs and you are sure your rules are syntactically correct and should match then I don't know either. The one thing to make sure is that you really have the self signed certificate in that keystore as a _trusted certificate_ - otherwise it will not work. regards, Karl On Thu, Jan 23, 2014 at 11:59 AM, felixandre andrea.carli...@gmail.comwrote: I had also tried to invert the order of the rules, but without success... This is the rule (added before the DENY rule): ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition CN=xxx, O=xxx, OU=xxx, L=x C=xx] ( java.io.FilePermission * read, write) } We allow signed bundles to write file Moreover, to be sure, I verified the jar signature with jarsigner -verify myjar.jar -verbose -certs and all the fields match. I run Felix with all the needed properties (afaik): java -Dorg.osgi.framework.security=osgi -Djava.security.policy=all.policy -Dfelix.keystore=file:myks.jks -Dfelix.keystore.pass=mypwd -Dfelix.keystore.type=jks -jar bin/felix.jar The signature was a selfsigned signature, could this be the problem? I think it isn't, but what can be the problem then? -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problem-with-Felix-security-and-bundle-policies-tp5006903p5006951.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Problem with Felix security and bundle policies
if you want to simplify you also have to simplify your dn on the certs. Just picking a part doesn't work. You would need to use wildcards for that (see the spec). I think you need to convert your private key entry into a trusted cert entry: $ keytool -export -v -keystore keys.ks -alias aliasname -file aliasname.cert -storepass foobar -keypass barbaz $ keytool -import -v -keystore certificates.ks -alias aliasname.cert -file core.cert -storepass foobar -keypass barbaz regards, Karl On Thu, Jan 23, 2014 at 2:48 PM, felixandre andrea.carli...@gmail.comwrote: Well, there was the missing comma, but I had also tried simplifying it as much as possible (i.e.: /[org.osgi.service.condpermadmin.BundleSignerCondition O=xxx]/) and checking signer only with this field, but without success, that is no authorization to the signed bundle. Indeed, as a result of correcting the entire DN chain adding the missing comma, has the weird effect of allowing also the not-signed bundle to read and write! I tried the keytool command as you suggested and this is what I got: /Keystore type: JKS Keystore provider : SUN The keystore has 1 entry aliasname, 16-gen-2014, PrivateKeyEntry, fingerprint (SHA1): .../ The command I used to generate the Self-signed certificate is: /keytool -genkey -keyalg RSA -alias aliasname -keystore myks.jks -storepass mypwd -validity 360 -keysize 2048/ and then I signed the bundles with the option of the Eclipse Export procedure. Andrea (could you, please, mask the DN chain fields in the quoted post? I forgot to do it in one post :-| ) -- View this message in context: http://apache-felix.18485.x6.nabble.com/Problem-with-Felix-security-and-bundle-policies-tp5006903p5006955.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Security Warning: Felix with Java Web Start
) at java.lang.Thread.run(Thread.java:744) Service Thread daemon prio=10 tid=0x7f09b4097000 nid=0x14d9 runnable [0x] java.lang.Thread.State: RUNNABLE C2 CompilerThread1 daemon prio=10 tid=0x7f09b4094800 nid=0x14d8 waiting on condition [0x] java.lang.Thread.State: RUNNABLE C2 CompilerThread0 daemon prio=10 tid=0x7f09b4092000 nid=0x14d7 waiting on condition [0x] java.lang.Thread.State: RUNNABLE Signal Dispatcher daemon prio=10 tid=0x7f09b4087800 nid=0x14d6 runnable [0x] java.lang.Thread.State: RUNNABLE Finalizer daemon prio=10 tid=0x7f09b4070800 nid=0x14d5 in Object.wait() [0x7f09b0bfa000] java.lang.Thread.State: WAITING (on object monitor) at java.lang.Object.wait(Native Method) - waiting on 0x0007b1b99498 (a java.lang.ref.ReferenceQueue$Lock) at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:135) - locked 0x0007b1b99498 (a java.lang.ref.ReferenceQueue$Lock) at java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:151) at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:189) Reference Handler daemon prio=10 tid=0x7f09b406c800 nid=0x14d4 in Object.wait() [0x7f09b0cfb000] java.lang.Thread.State: WAITING (on object monitor) at java.lang.Object.wait(Native Method) - waiting on 0x0007b1b98ee8 (a java.lang.ref.Reference$Lock) at java.lang.Object.wait(Object.java:503) at java.lang.ref.Reference$ReferenceHandler.run(Reference.java:133) - locked 0x0007b1b98ee8 (a java.lang.ref.Reference$Lock) VM Thread prio=10 tid=0x7f09b406a000 nid=0x14d3 runnable GC task thread#0 (ParallelGC) prio=10 tid=0x7f09b4020800 nid=0x14ce runnable GC task thread#1 (ParallelGC) prio=10 tid=0x7f09b4022000 nid=0x14cf runnable GC task thread#2 (ParallelGC) prio=10 tid=0x7f09b4024000 nid=0x14d0 runnable GC task thread#3 (ParallelGC) prio=10 tid=0x7f09b4026000 nid=0x14d1 runnable VM Periodic Task Thread prio=10 tid=0x7f09b40a2000 nid=0x14da waiting on condition This is an issue that is really important to us. I will try to take my toy-example-solution and integrate it into our real system next week. We can probably live with that for a while, as we don't use extension bundles for anything. However, we would much prefer a more correct solution. Thus, if you need more information from me, I will be happy share whatever I know. I will also be happy to test any solution the Felix team might come up with on our system. Oh, btw. Thanks to everyone on the Felix team. We love your product! Cheers, Martin Rytter -- Martin Rytter - http://martin.ryt.dk - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Access denied in spite of permissions
You probably have to doPriv around the service registration as cm is on the stack and probably doesn't have the permission itself. Its either that, or you assign the permission (or all permission) to the cm bundle. regards, Karl On Thu, Oct 24, 2013 at 10:20 AM, Roland roool...@gmx.de wrote: My permissions: (org.osgi.framework.ConfigurationPermission * target) (org.osgi.framework.AdminPermission * metadata) (org.osgi.framework.ServicePermission org.osgi.service.cm.ConfigurationAdmin get) (org.osgi.framework.ConfigurationPermission * configure) (org.osgi.framework.PackagePermission org.osgi.service.cm import) (org.osgi.framework.ServicePermission org.osgi.service.cm.ManagedServiceFactory register) (org.osgi.framework.ServicePermission my.package.ServiceInterface register) (org.osgi.framework.ServicePermission my.package.MyServiceFactory register) Did I forget something? Thanks and Regards Roland -- View this message in context: http://apache-felix.18485.x6.nabble.com/Access-denied-in-spite-of-permissions-tp5005687p5005720.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Access denied in spite of permissions
Well, you need to give the bundles all permission then no? I guess if you want me to take a look you have to either share what you have or give me more informations so that i can understand what you do... regards, Karl On Tue, Oct 22, 2013 at 4:19 PM, Roland roool...@gmx.de wrote: Hello Karl, thanks for supporting me! I do not use the permission admin. I add carefully selected permissions to the permissions.perm file for each bundle. The permissions.perm file is located in the OSGI-INF directory of the bundle. For most bundles this works fine. Maybe there are some unknown side effects that prevent granting this single permission. Regards Roland -- View this message in context: http://apache-felix.18485.x6.nabble.com/Access-denied-in-spite-of-permissions-tp5005687p5005690.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Access denied in spite of permissions
Did you give the bundle the permission or all permission via the conditional permission admin? regards, Karl On Tue, Oct 22, 2013 at 3:04 PM, Roland roool...@gmx.de wrote: Hello Felix experts, today I ran into a access-denied-issue. access denied (org.osgi.framework.ServicePermission my.package.serviceinterface register) I added the permission to the permissions.perm of the bundle. Unfortunately that did not solve the problem. I wonder why the access is denied even though the permission is explicitly granted? Please could someone explain why this can happen. Thanks and regards! Roland -- View this message in context: http://apache-felix.18485.x6.nabble.com/Access-denied-in-spite-of-permissions-tp5005687.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Security Warning: Felix with Java Web Start
it would be really helpful if you could provide me with a failing toy example... regards, Karl On Wed, Oct 16, 2013 at 2:37 PM, Cesar Souza ce...@animati.com.br wrote: Hi guys We are facing a big problem, our software cannot run under Java 7 update 45 due to the problem that I reported here. Please, can you raise the priority of the issue on Jira ? On Fri, Oct 11, 2013 at 4:00 PM, Rob Walker r...@ascert.com wrote: Will def update the issue with anything I find. Our examples are anything but small though - very hard to split stuff out, 40+ bundles and a ton of our own app code plus off the shelf libs. Will report back with findings though! - Rob - Original Message - From: Cesar Souza ce...@animati.com.br To: users@felix.apache.org Sent: Friday, 11 October, 2013 8:55:50 PM Subject: Re: Security Warning: Felix with Java Web Start Thanks, Rob If you have a small example, please attach it to the Jira issue that I've just created. https://issues.apache.org/jira/browse/FELIX-4281 On Fri, Oct 11, 2013 at 3:42 PM, Rob Walker r...@ascert.com wrote: I have J7u40, but I haven't tested the WebStart aspect since updating. Quite possible it will hit the same problem, saw the warnings in the release notes. Will give it a try next week if I get a chance and report back - Rob - Original Message - From: Cesar Souza ce...@animati.com.br To: users@felix.apache.org Sent: Friday, 11 October, 2013 6:52:26 PM Subject: Re: Security Warning: Felix with Java Web Start Hi Rob I have already verified all jars in my application. Are you using the Java 7 update 40 with your web start application ?? Is there a way to turn on the debug log in Felix? Maybe I can see what resource is causing the security warning. On Fri, Oct 11, 2013 at 2:26 AM, Rob Walker r...@ascert.com wrote: That seems to imply at least one of the JARs or bundles being loaded isn't signed - probably worth a re-check on all JARs to make sure everything is signed. We also use a launcher, and WebStart Felix. Our production build we signs everything and we don't see that message - but in development, where we don't sign, we do get it. I think I remember reading the latest Java versions are progressively locking down the running of unsigned JARs, which is causing some controversy. -- Rob On 10/10/2013 9:37 PM, Cesar Souza wrote: Hi I have a valid certificate and I already successfully signed a Java Web Start application. So, there is no problem with the certificate or the process to sign my applications. But now I am trying to sign another application that uses Felix. There is a launcher and all the libraries are in a remote directory, all them signed, accessed through a web server. When I launch the application everything is OK until the execution of the Felix's init method. In this moment a dialog appears and show the following message: --- Security Warning Do you want to run this application? An unsigned application from the location below is requesting permission to run. Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk. --- Is this a Felix's security problem ? Thanks for helping me. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Ascert - Taking systems to the edge r...@ascert.com +27 21 300 2028 ext 5119 www.ascert.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http
Re: Security Warning: Felix with Java Web Start
Alternatively, can you try to get me more information about what is failing exactly? regards, Karl On Wed, Oct 16, 2013 at 2:40 PM, Karl Pauls karlpa...@gmail.com wrote: it would be really helpful if you could provide me with a failing toy example... regards, Karl On Wed, Oct 16, 2013 at 2:37 PM, Cesar Souza ce...@animati.com.br wrote: Hi guys We are facing a big problem, our software cannot run under Java 7 update 45 due to the problem that I reported here. Please, can you raise the priority of the issue on Jira ? On Fri, Oct 11, 2013 at 4:00 PM, Rob Walker r...@ascert.com wrote: Will def update the issue with anything I find. Our examples are anything but small though - very hard to split stuff out, 40+ bundles and a ton of our own app code plus off the shelf libs. Will report back with findings though! - Rob - Original Message - From: Cesar Souza ce...@animati.com.br To: users@felix.apache.org Sent: Friday, 11 October, 2013 8:55:50 PM Subject: Re: Security Warning: Felix with Java Web Start Thanks, Rob If you have a small example, please attach it to the Jira issue that I've just created. https://issues.apache.org/jira/browse/FELIX-4281 On Fri, Oct 11, 2013 at 3:42 PM, Rob Walker r...@ascert.com wrote: I have J7u40, but I haven't tested the WebStart aspect since updating. Quite possible it will hit the same problem, saw the warnings in the release notes. Will give it a try next week if I get a chance and report back - Rob - Original Message - From: Cesar Souza ce...@animati.com.br To: users@felix.apache.org Sent: Friday, 11 October, 2013 6:52:26 PM Subject: Re: Security Warning: Felix with Java Web Start Hi Rob I have already verified all jars in my application. Are you using the Java 7 update 40 with your web start application ?? Is there a way to turn on the debug log in Felix? Maybe I can see what resource is causing the security warning. On Fri, Oct 11, 2013 at 2:26 AM, Rob Walker r...@ascert.com wrote: That seems to imply at least one of the JARs or bundles being loaded isn't signed - probably worth a re-check on all JARs to make sure everything is signed. We also use a launcher, and WebStart Felix. Our production build we signs everything and we don't see that message - but in development, where we don't sign, we do get it. I think I remember reading the latest Java versions are progressively locking down the running of unsigned JARs, which is causing some controversy. -- Rob On 10/10/2013 9:37 PM, Cesar Souza wrote: Hi I have a valid certificate and I already successfully signed a Java Web Start application. So, there is no problem with the certificate or the process to sign my applications. But now I am trying to sign another application that uses Felix. There is a launcher and all the libraries are in a remote directory, all them signed, accessed through a web server. When I launch the application everything is OK until the execution of the Felix's init method. In this moment a dialog appears and show the following message: --- Security Warning Do you want to run this application? An unsigned application from the location below is requesting permission to run. Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk. --- Is this a Felix's security problem ? Thanks for helping me. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Ascert - Taking systems to the edge r...@ascert.com +27 21 300 2028 ext 5119 www.ascert.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e
Re: Security Warning: Felix with Java Web Start
its possible that we are having problems with the latest Java 7 update. I read that they changed how they handle this stuff. Can you make a failing example available to me? regards, Karl On Fri, Oct 11, 2013 at 6:52 PM, Cesar Souza ce...@animati.com.br wrote: Hi Rob I have already verified all jars in my application. Are you using the Java 7 update 40 with your web start application ?? Is there a way to turn on the debug log in Felix? Maybe I can see what resource is causing the security warning. On Fri, Oct 11, 2013 at 2:26 AM, Rob Walker r...@ascert.com wrote: That seems to imply at least one of the JARs or bundles being loaded isn't signed - probably worth a re-check on all JARs to make sure everything is signed. We also use a launcher, and WebStart Felix. Our production build we signs everything and we don't see that message - but in development, where we don't sign, we do get it. I think I remember reading the latest Java versions are progressively locking down the running of unsigned JARs, which is causing some controversy. -- Rob On 10/10/2013 9:37 PM, Cesar Souza wrote: Hi I have a valid certificate and I already successfully signed a Java Web Start application. So, there is no problem with the certificate or the process to sign my applications. But now I am trying to sign another application that uses Felix. There is a launcher and all the libraries are in a remote directory, all them signed, accessed through a web server. When I launch the application everything is OK until the execution of the Felix's init method. In this moment a dialog appears and show the following message: --- Security Warning Do you want to run this application? An unsigned application from the location below is requesting permission to run. Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk. --- Is this a Felix's security problem ? Thanks for helping me. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Ascert - Taking systems to the edge r...@ascert.com +27 21 300 2028 ext 5119 www.ascert.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Security Warning: Felix with Java Web Start
I'll try to get to it. You might want to create a jira issue and assign it to me. Furthermore, if you want to help: try to get me a failing example (it doesn't have to be your big application - see whether you can get a simple dummy to fail). regards, Karl On Fri, Oct 11, 2013 at 8:14 PM, Cesar Souza ce...@animati.com.br wrote: Hi Karl Its a big application, so will be not easy to give you an example, because I am not the software developer who works in the project. The exactly same software works fine on Java 7 update 21, 64bits (Windows 7). I have just done the test. The problem is with this new Java update 40. Can you investigate this problem, please ? On Fri, Oct 11, 2013 at 2:52 PM, Karl Pauls karlpa...@gmail.com wrote: its possible that we are having problems with the latest Java 7 update. I read that they changed how they handle this stuff. Can you make a failing example available to me? regards, Karl On Fri, Oct 11, 2013 at 6:52 PM, Cesar Souza ce...@animati.com.br wrote: Hi Rob I have already verified all jars in my application. Are you using the Java 7 update 40 with your web start application ?? Is there a way to turn on the debug log in Felix? Maybe I can see what resource is causing the security warning. On Fri, Oct 11, 2013 at 2:26 AM, Rob Walker r...@ascert.com wrote: That seems to imply at least one of the JARs or bundles being loaded isn't signed - probably worth a re-check on all JARs to make sure everything is signed. We also use a launcher, and WebStart Felix. Our production build we signs everything and we don't see that message - but in development, where we don't sign, we do get it. I think I remember reading the latest Java versions are progressively locking down the running of unsigned JARs, which is causing some controversy. -- Rob On 10/10/2013 9:37 PM, Cesar Souza wrote: Hi I have a valid certificate and I already successfully signed a Java Web Start application. So, there is no problem with the certificate or the process to sign my applications. But now I am trying to sign another application that uses Felix. There is a launcher and all the libraries are in a remote directory, all them signed, accessed through a web server. When I launch the application everything is OK until the execution of the Felix's init method. In this moment a dialog appears and show the following message: --- Security Warning Do you want to run this application? An unsigned application from the location below is requesting permission to run. Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk. --- Is this a Felix's security problem ? Thanks for helping me. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Ascert - Taking systems to the edge r...@ascert.com +27 21 300 2028 ext 5119 www.ascert.com - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- atenciosamente, Cesar Souza Animati Computação Aplicada Santa Maria, RS - (55) 3286 4010 http://animati.com.br - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: How to improve the start time of Apache Felix
Maybe you need to give us some more information about what you do. Do you start up from a populated cache? regards, Karl On Thu, Sep 5, 2013 at 5:06 PM, Roland w...@ids.de wrote: (The challenge is to start linux and the application within 2 sec.) -- View this message in context: http://apache-felix.18485.x6.nabble.com/How-to-improve-the-start-time-of-Apache-Felix-tp5004833p5004840.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Error while using felix -framework with jamvm.
Hm, I assume you did delete your framework cache to make sure you don't have anything messed up in it. If so, try to set: -Dfelix.cache.locking=false regards, Karl On Tue, Aug 27, 2013 at 12:44 PM, Aditya Kapoor er.adityakapo...@gmail.comwrote: Thanks Karl for replying but it did not worked out. Actually i am also using jetty so when i disable *felix.service.urlhandlers=false* in config.properties i am not able to install jetty. I am using felix-framework 4.2.1 version. I tried some changes as replacing the old scr jar file with new version (org.apache.felix.scr-1.4.0.jar - org.apache.felix.scr-1.6.2.jar). Though i am not getting any such error as previously mentioned but it happened so that i am not able to install any other jar file as such. I am getting error as follows whenever i try to install any jar file. *java.io.FileNotFoundException: ./felix-cache/bundle11/refresh.counter* But i am able to start stop and uninstall the jar files which are already running. On Wed, Aug 21, 2013 at 12:51 PM, Aditya Kapoor er.adityakapo...@gmail.comwrote: Hi, I am a new user for java implementation. I am trying to implement this feature for one of the systems where we are getting errors. I am using following command to execute : jamvm -Xms64M -Xmx72M -jar bin/felix.jar I am using the latest felix-framework available (4.2.1) Please find my error logs : === ERROR: Unable to get module class path. (java.lang.RuntimeException: Unable to open JAR file, probably deleted: ./felix-cache/bundle11/version0.0/bundle.jar- embedded/kxml2-2.2.2.jar) ERROR: Error starting file:/pfrm2.0/bundle/org.apache.felix.scr-1.4.0.jar (org.osgi.framework.BundleException: Activator start error in bundle org.apache.fel ix.scr [11].) === Please let me know if i missed something. -- Thanks Regards, Aditya Kapoor -- Thanks Regards, Aditya Kapoor -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Error while using felix -framework with jamvm.
My biggest problem is that i fail to install a working jamvm on my mac. You could try to disable url handlers: -Dfelix.service.urlhandlers=false and see if that helps you any... regards, Karl On Wed, Aug 21, 2013 at 9:21 AM, Aditya Kapoor er.adityakapo...@gmail.com wrote: Hi, I am a new user for java implementation. I am trying to implement this feature for one of the systems where we are getting errors. I am using following command to execute : jamvm -Xms64M -Xmx72M -jar bin/felix.jar I am using the latest felix-framework available (4.2.1) Please find my error logs : === ERROR: Unable to get module class path. (java.lang.RuntimeException: Unable to open JAR file, probably deleted: ./felix-cache/bundle11/version0.0/bundle.jar- embedded/kxml2-2.2.2.jar) ERROR: Error starting file:/pfrm2.0/bundle/org.apache.felix.scr-1.4.0.jar (org.osgi.framework.BundleException: Activator start error in bundle org.apache.fel ix.scr [11].) === Please let me know if i missed something. -- Thanks Regards, Aditya Kapoor -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: [SECURITY] permissions.perm file ignored
Well, I can't reproduce this problem on MacOS 10.8.4. For me, downloading felix 4.2.1 and framework.security 2.2.0 (installed by putting it into the 'bundle' dir) seems to work with: $ java -Djava.security.policy=My.policy -Dorg.osgi.framework.security=osgi -jar bin/felix.jar where: $ cat My.policy grant { permission java.security.AllPermission; }; $ java -version java version 1.7.0_21 Java(TM) SE Runtime Environment (build 1.7.0_21-b12) Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode) so you'll have to give me some more informations and help me to reproduce your problem... regards, Karl On Fri, Jul 12, 2013 at 12:34 PM, Roland w...@ids.de wrote: Hi, ok grant { permission java.security.AllPermission; }; ERROR: Error creating bundle cache. (java.security.AccessControlException: access denied (java.io.FilePermission .\felix-cache read)) java.security.AccessControlException: access denied (java.io.FilePermission .\felix-cache read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374) at java.security.AccessController.checkPermission(AccessController.java:549) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkRead(SecurityManager.java:871) at java.io.File.exists(File.java:731) at org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1546) at java.security.AccessController.doPrivileged(Native Method) at org.apache.felix.framework.util.SecureAction.fileExists(SecureAction.java:308) at org.apache.felix.framework.cache.BundleCache.init(BundleCache.java:124) at org.apache.felix.framework.Felix.init(Felix.java:640) at org.apache.felix.framework.Felix.start(Felix.java:893) Thanks! Roland -- View this message in context: http://apache-felix.18485.x6.nabble.com/SECURITY-permissions-perm-file-ignored-tp5002699p5004279.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: [SECURITY] permissions.perm file ignored
can you post the stack trace or the content of your My.policy file? regards, Karl On Friday, July 12, 2013, Roland wrote: Hi Karl, I installed the framework.security-bundle and configured -Djava.security.policy=My.policy -Dorg.osgi.framework.security=osgibut I got following exception: java.security.AccessControlException: access denied (java.io.FilePermission .\felix-cache read). So I stored a permissions.perm to the OSGI-INF-directory but without any success...(java.io.FilePermission .\felix-cache read,write) Any suggestions? Many Thanks Roland -- View this message in context: http://apache-felix.18485.x6.nabble.com/SECURITY-permissions-perm-file-ignored-tp5002699p5004277.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org javascript:; For additional commands, e-mail: users-h...@felix.apache.orgjavascript:; -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Invalid package name: '*' ????
You must have a Class in the default package (i.e., not inside a package at all). This doesn't work because OSGi doesn't allow you to have something inside the default package (i.e., without a package, i.e., in the '.'). Now, the question is why you have something in there. Double check you are not referencing a class that has no package but if you don't, you might want to make sure its not just some compile error that messes things up or that it is not a transitive reference. regards, Karl On Fri, Jun 21, 2013 at 3:28 PM, Roland w...@ids.de wrote: hello, I'm at it again and I hope I'm right here. I hang on a problem for a few hours. I do not know what I'm doing wrong. Below is the error message and my POM. ... [INFO] [bundle:bundle {execution: default-bundle}] in default pack? [WARNING] Bundle mygroupId:myartifactId:bundle:1.0.0.0 : Invalid package name: '*' [ERROR] Bundle de.ids.acos.rtu.osgi.bundles:acos-rtu-constants:bundle:1.0.0.0 : The default package '.' is not permitted by the Import-Package syntax. This can be caused by compile errors in Eclipse because Eclipse creates valid class files regardless of compile errors. The following package(s) import from the default package null [ERROR] Error(s) found in bundle configuration project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd; modelVersion4.0.0/modelVersion parent groupIdmygroupID/groupId artifactIdmyparent/artifactId version1.0.0.0/version /parent groupIdmygroupID/groupId artifactIdmyproject/artifactId namemyproject/name packagingbundle/packaging build plugins plugin groupIdorg.apache.felix/groupId artifactIdmaven-bundle-plugin/artifactId extensionstrue/extensions configuration archive /archive instructions Bundle-SymbolicName${project.groupId}.${project.artifactId}/Bundle-SymbolicName Bundle-Description${project.description}/Bundle-Description Bundle-Version${project.version}/Bundle-Version Bundle-Activator/Bundle-Activator EXPORT-PACKAGE mypackage;version=1.0.0.0 /EXPORT-PACKAGE IMPORT-PACKAGE * /IMPORT-PACKAGE /instructions /configuration /plugin /plugins /build /project I have already tried mvn clean, but that does not help. Recently I get frequently strange error messages from maven. From time to time I can not build my projects and I get the following error message: ... Source not found. This indicates that the compiler can not find the source. After a further try everything works again! There is probably a bug somewhere in the Maven-Universe. Maybe I should ask this in a Maven forum. Any suggestions? Thanks in advance! Roland -- View this message in context: http://apache-felix.18485.x6.nabble.com/Invalid-package-name-tp5004065.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: [SECURITY] permissions.perm files
Did you install the framework.security provider? regards, Karl On Mon, Mar 25, 2013 at 6:40 PM, Fearless vive.marsei...@voila.fr wrote: Hi, First of all, thanks for your work. I am trying to enable security in Felix 4.0.1 by launching the following command : java -Djava.security.policy=all.policy -Dorg.osgi.framework.security=osgi -Djava.library.path=. -jar bin/felix.jar The file all.policy contains : grant { permission java.security.AllPermission; }; I put a file named permissions.perm in the directory OSGI-INF/ of my bundle containing all the permissions my bundle must have. When I deploy it, I can see that my bundle still has all the permissions ; to check the permissions, here is what I am doing in Java : System.getSecurityManager().checkPermission(... // my permissions here); Whatever the permission is, this method never throws an exception... In my opinion, my permissions.pem is not used/interpreted. Did I miss or misunderstand something? I have searched for this problem for days and I wasn't able to find any solutions to this... Best regards, Frls -- View this message in context: http://apache-felix.18485.n6.nabble.com/SECURITY-permissions-perm-files-tp5002699.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Security Felix bundles
On Thu, Mar 14, 2013 at 8:18 AM, Felix Meschberger fmesc...@adobe.comwrote: Hi, Am 13.03.2013 um 23:16 schrieb Karl Pauls: Is it planned to add permissions file into Felix subprojects bundles (Config Admi, Event Admin, etc.)? Planned, no. Not at this point - however, I'm sure contributions are more than welcome. If you want to create some permission files and give them to use I'm sure we are more than happy to integrate them. Please excuse my ignorance: Would adding permission files mean, we would have to sign the bundles ? Not necessarily, no. The point is that in this model, it makes sense to give allpermission to bundles and rely on the limits in their permissions.perm files. This can be convenient (if anything is when security is used ;-) as one only has to look at the permissions requested in the permissions.perm to decide if a bundle is save to install and no further policy needs to be changed - provided, one can rely on the fact that the bundle hasn't been tampered with (or at least, the permission.perm file hasn't been changed or removed completely). In other words, for this to work you need, a) a correct permissions.perm file (hopefully only requesting the minimal set of needed permissions) for (and in) each bundle, and b) the bundle needs to be signed if you can't assume that nobody is able to tamper with it. In consequence, while the bundle ultimately probably has to be signed by somebody, we don't _have to_ sign it just because we provide a permissions.perm inside of it. Figuring out the minimal set of permissions is hard. Signing a bundle and giving allpermission to that cert might be effort but isn't the end of the world -- hence, I'd argue that providing a permissions.perm with our bundles is a value in itself. Signing them as well would be another value add but isn't needed to make the former valuable. regards, Karl Regards Felix -- Felix Meschberger | Principal Scientist | Adobe - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Security Felix bundles
Hi, On Wed, Mar 13, 2013 at 7:06 PM, Romain Dubois romain.dub...@yahoo.frwrote: Hi, I am working on a security model based on ConditionalPermissionAdmin. I assume that administrators audit permissions files in bundles and trust them. My model is simple: - If a bundle has a valid permissions file (/OSGI-INF/permissions.perm), I grant it AllPermission (which is reduced by permissions file). - Otherwise (none or invalid permissions file), I grant it the basic permissions (defined externally). I rely on OSGi Conditions and it works fine, theorically. However, I am facing a problem: 3rd library do not always have a permissions file. So, my first question is: Is it planned to add permissions file into Felix subprojects bundles (Config Admi, Event Admin, etc.)? Planned, no. Not at this point - however, I'm sure contributions are more than welcome. If you want to create some permission files and give them to use I'm sure we are more than happy to integrate them. I also have an other question about Felix security implementation: When a permissions file is invalid, its bundle is considered as if it haven't any permissions file (=AllPermission).Do you consider it is a valid behavior or a bug? Well, iirc, this is a grey area as the spec is mum on the issue. If the bundle is signed and the permissions.perm has been removed or tempered with the bundle fails to install but that is not helping in your case. I would consider it as a bug because an auditor is not able to detect all syntax problems and will trust a bundle which is not confined to its declared permissions. We can certainly debate what should happen in that case. If you think it is better to give the bundle no permissions please raise a jira issue so that we can keep track of it. regards, Karl Romain -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Regarding https://issues.apache.org/jira/browse/FELIX-3302
Yes, please try 4.2.0. FELIX-3302 was fixed in 4.0.3 however, my guess is that you are running into FELIX-3840 ( https://issues.apache.org/jira/browse/FELIX-3840) which was fixed in 4.2.0. It that still gives you problems please open a new bug. regards, Karl On Mon, Mar 11, 2013 at 7:26 AM, Felix Meschberger fmesc...@adobe.comwrote: Hi, Reading the issue it looks like Karl has pushed a potential fix. This should be in both the 4.0.3 and the recent 4.2.0 release. So, you might want to give 4.2.0 a try. If it still persists, you might want to rise another issue. Thanks. Regards Felix Am 11.03.2013 um 06:01 schrieb Bhushan Rane (bhrane): HI All, Can you please confirm in which version this issue is fixed? I have gone through tracking system with the URL, it says 4.0.3, but when we tried, it's still exists. https://issues.apache.org/jira/browse/FELIX-3302 Info: http://apache-felix.18485.n6.nabble.com/Error-with-multiple-instances-of-Felix-running-as-separate-EAR-deployments-in-WebLogic-td4845135.html Thanks, Bhushan -- Felix Meschberger | Principal Scientist | Adobe - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Compatibility for JBOSS 7.1.1 with Felix 3.2.3
Please try with 4.2.0 - before that there might be problems. 4.2.0 should work. regards, Karl On Wed, Feb 27, 2013 at 5:58 AM, Bhushan Rane (bhrane) bhr...@cisco.comwrote: Hi All, Just wanted to confirm if Felix 3.2.3 is compatible with JBOSS 7.1.1 as we are seeing issues with it. Please suggest/share for Felix versions. (One of the forums suggested to use 4.0.3). Thanks, Bhushan -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix security: Bundle in cache doesn't pass security check anymore.
You'd have to use java6 or lower to compile. I guess I can fix that too. regards, Karl On Tue, Feb 12, 2013 at 8:06 AM, Reto Bachmann-Gmür r...@wymiwyg.comwrote: Hi Karl Trying to compile the trunk version of framework.security I get: [INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @ org.apache.felix.framework.security --- [INFO] Compiling 11 source files to /data-ssd-unencrypted/projects-apache/felix/framework.security/target/classes [INFO] - [ERROR] COMPILATION ERROR : [INFO] - [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[310,19] error: FakeBundle is not abstract and does not override abstract method adapt(Class) in Bundle [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[464,15] error: name clash: Aadapt(ClassA) in FakeBundle and adapt(Class) in Bundle have the same erasure, yet neither overrides the other [INFO] 2 errors Cheers, Reto On Mon, Feb 11, 2013 at 11:19 PM, Karl Pauls karlpa...@gmail.com wrote: You could try to see whether it works with the current framework.security trunk. If not, please open a jira (and if possible attach some example that fails :-) regards, Karl On Mon, Feb 11, 2013 at 10:49 PM, Karl Pauls karlpa...@gmail.com wrote: Looks like a bug to me. Can you please open a jira issue and assign it to me? regards, Karl On Mon, Feb 11, 2013 at 10:01 PM, Reto Bachmann-Gmür r...@apache.org wrote: Hello, After updating clerezza to the latest released versions of felix and felix security I'm getting the following error after a restart: ERROR: Bundle in cache doesn't pass security check anymore. (java.lang.ArrayIndexOutOfBoundsException: -1) java.lang.ArrayIndexOutOfBoundsException: -1 at org.apache.felix.framework.security.verifier.BundleDNParser.getRootChains(BundleDNParser.java:470) at org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:246) at org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:145) at org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:63) at org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:854) at org.apache.felix.framework.Felix.init(Felix.java:805) at org.apache.felix.framework.Felix.start(Felix.java:882) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:184) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:167) at org.apache.clerezza.platform.launcher.Main.main(Main.java:34) Any idea what might cause this? Cheers, Reto - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix security: Bundle in cache doesn't pass security check anymore.
Well, i just tried and it seems to work with the current framework and security trunk. It be nice if you could double-check as I'm not sure I did the right thing. regards, Karl On Tue, Feb 12, 2013 at 8:26 AM, Reto Bachmann-Gmür r...@apache.org wrote: Rehi, Created FELIX-3893 nevertheless. I cannot assign the issue, but I can close the issue if can see the issue is solved in trunk ;) Cheers, Reto On Tue, Feb 12, 2013 at 8:06 AM, Reto Bachmann-Gmür r...@wymiwyg.com wrote: Hi Karl Trying to compile the trunk version of framework.security I get: [INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @R org.apache.felix.framework.security --- [INFO] Compiling 11 source files to /data-ssd-unencrypted/projects-apache/felix/framework.security/target/classes [INFO] - [ERROR] COMPILATION ERROR : [INFO] - [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[310,19] error: FakeBundle is not abstract and does not override abstract method adapt(Class) in Bundle [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[464,15] error: name clash: Aadapt(ClassA) in FakeBundle and adapt(Class) in Bundle have the same erasure, yet neither overrides the other [INFO] 2 errors Cheers, Reto On Mon, Feb 11, 2013 at 11:19 PM, Karl Pauls karlpa...@gmail.com wrote: You could try to see whether it works with the current framework.security trunk. If not, please open a jira (and if possible attach some example that fails :-) regards, Karl On Mon, Feb 11, 2013 at 10:49 PM, Karl Pauls karlpa...@gmail.com wrote: Looks like a bug to me. Can you please open a jira issue and assign it to me? regards, Karl On Mon, Feb 11, 2013 at 10:01 PM, Reto Bachmann-Gmür r...@apache.org wrote: Hello, After updating clerezza to the latest released versions of felix and felix security I'm getting the following error after a restart: ERROR: Bundle in cache doesn't pass security check anymore. (java.lang.ArrayIndexOutOfBoundsException: -1) java.lang.ArrayIndexOutOfBoundsException: -1 at org.apache.felix.framework.security.verifier.BundleDNParser.getRootChains(BundleDNParser.java:470) at org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:246) at org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:145) at org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:63) at org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:854) at org.apache.felix.framework.Felix.init(Felix.java:805) at org.apache.felix.framework.Felix.start(Felix.java:882) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:184) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:167) at org.apache.clerezza.platform.launcher.Main.main(Main.java:34) Any idea what might cause this? Cheers, Reto - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix security: Bundle in cache doesn't pass security check anymore.
I commited a fix for the java7 issue so the security provider should compile for you. regards, Karl On Tue, Feb 12, 2013 at 3:28 PM, Karl Pauls karlpa...@gmail.com wrote: Well, i just tried and it seems to work with the current framework and security trunk. It be nice if you could double-check as I'm not sure I did the right thing. regards, Karl On Tue, Feb 12, 2013 at 8:26 AM, Reto Bachmann-Gmür r...@apache.orgwrote: Rehi, Created FELIX-3893 nevertheless. I cannot assign the issue, but I can close the issue if can see the issue is solved in trunk ;) Cheers, Reto On Tue, Feb 12, 2013 at 8:06 AM, Reto Bachmann-Gmür r...@wymiwyg.com wrote: Hi Karl Trying to compile the trunk version of framework.security I get: [INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @R org.apache.felix.framework.security --- [INFO] Compiling 11 source files to /data-ssd-unencrypted/projects-apache/felix/framework.security/target/classes [INFO] - [ERROR] COMPILATION ERROR : [INFO] - [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[310,19] error: FakeBundle is not abstract and does not override abstract method adapt(Class) in Bundle [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[464,15] error: name clash: Aadapt(ClassA) in FakeBundle and adapt(Class) in Bundle have the same erasure, yet neither overrides the other [INFO] 2 errors Cheers, Reto On Mon, Feb 11, 2013 at 11:19 PM, Karl Pauls karlpa...@gmail.com wrote: You could try to see whether it works with the current framework.security trunk. If not, please open a jira (and if possible attach some example that fails :-) regards, Karl On Mon, Feb 11, 2013 at 10:49 PM, Karl Pauls karlpa...@gmail.com wrote: Looks like a bug to me. Can you please open a jira issue and assign it to me? regards, Karl On Mon, Feb 11, 2013 at 10:01 PM, Reto Bachmann-Gmür r...@apache.org wrote: Hello, After updating clerezza to the latest released versions of felix and felix security I'm getting the following error after a restart: ERROR: Bundle in cache doesn't pass security check anymore. (java.lang.ArrayIndexOutOfBoundsException: -1) java.lang.ArrayIndexOutOfBoundsException: -1 at org.apache.felix.framework.security.verifier.BundleDNParser.getRootChains(BundleDNParser.java:470) at org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:246) at org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:145) at org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:63) at org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:854) at org.apache.felix.framework.Felix.init(Felix.java:805) at org.apache.felix.framework.Felix.start(Felix.java:882) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:184) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:167) at org.apache.clerezza.platform.launcher.Main.main(Main.java:34) Any idea what might cause this? Cheers, Reto - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix security: Bundle in cache doesn't pass security check anymore.
Just try again with the latest trunk - it should compile with java7 now. regards, Karl On Tue, Feb 12, 2013 at 3:33 PM, Reto Bachmann-Gmür r...@apache.org wrote: Pomising If you could deploy the trunk version to https://repository.apache.org/content/repositories/snapshots/org/apache/felix/org.apache.felix.framework.security/ this would safe me from installing an old java version. Cheers, Reto On Tue, Feb 12, 2013 at 3:28 PM, Karl Pauls karlpa...@gmail.com wrote: Well, i just tried and it seems to work with the current framework and security trunk. It be nice if you could double-check as I'm not sure I did the right thing. regards, Karl On Tue, Feb 12, 2013 at 8:26 AM, Reto Bachmann-Gmür r...@apache.org wrote: Rehi, Created FELIX-3893 nevertheless. I cannot assign the issue, but I can close the issue if can see the issue is solved in trunk ;) Cheers, Reto On Tue, Feb 12, 2013 at 8:06 AM, Reto Bachmann-Gmür r...@wymiwyg.com wrote: Hi Karl Trying to compile the trunk version of framework.security I get: [INFO] --- maven-compiler-plugin:2.3.2:compile (default-compile) @R org.apache.felix.framework.security --- [INFO] Compiling 11 source files to /data-ssd-unencrypted/projects-apache/felix/framework.security/target/classes [INFO] - [ERROR] COMPILATION ERROR : [INFO] - [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[310,19] error: FakeBundle is not abstract and does not override abstract method adapt(Class) in Bundle [ERROR] /data-ssd-unencrypted/projects-apache/felix/framework.security/src/main/java/org/apache/felix/framework/security/condpermadmin/ConditionalPermissionAdminImpl.java:[464,15] error: name clash: Aadapt(ClassA) in FakeBundle and adapt(Class) in Bundle have the same erasure, yet neither overrides the other [INFO] 2 errors Cheers, Reto On Mon, Feb 11, 2013 at 11:19 PM, Karl Pauls karlpa...@gmail.com wrote: You could try to see whether it works with the current framework.security trunk. If not, please open a jira (and if possible attach some example that fails :-) regards, Karl On Mon, Feb 11, 2013 at 10:49 PM, Karl Pauls karlpa...@gmail.com wrote: Looks like a bug to me. Can you please open a jira issue and assign it to me? regards, Karl On Mon, Feb 11, 2013 at 10:01 PM, Reto Bachmann-Gmür r...@apache.org wrote: Hello, After updating clerezza to the latest released versions of felix and felix security I'm getting the following error after a restart: ERROR: Bundle in cache doesn't pass security check anymore. (java.lang.ArrayIndexOutOfBoundsException: -1) java.lang.ArrayIndexOutOfBoundsException: -1 at org.apache.felix.framework.security.verifier.BundleDNParser.getRootChains(BundleDNParser.java:470) at org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:246) at org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:145) at org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:63) at org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:854) at org.apache.felix.framework.Felix.init(Felix.java:805) at org.apache.felix.framework.Felix.start(Felix.java:882) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:184) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:167) at org.apache.clerezza.platform.launcher.Main.main(Main.java:34) Any idea what might cause this? Cheers, Reto - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix security: Bundle in cache doesn't pass security check anymore.
Looks like a bug to me. Can you please open a jira issue and assign it to me? regards, Karl On Mon, Feb 11, 2013 at 10:01 PM, Reto Bachmann-Gmür r...@apache.orgwrote: Hello, After updating clerezza to the latest released versions of felix and felix security I'm getting the following error after a restart: ERROR: Bundle in cache doesn't pass security check anymore. (java.lang.ArrayIndexOutOfBoundsException: -1) java.lang.ArrayIndexOutOfBoundsException: -1 at org.apache.felix.framework.security.verifier.BundleDNParser.getRootChains(BundleDNParser.java:470) at org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:246) at org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:145) at org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:63) at org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:854) at org.apache.felix.framework.Felix.init(Felix.java:805) at org.apache.felix.framework.Felix.start(Felix.java:882) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:184) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:167) at org.apache.clerezza.platform.launcher.Main.main(Main.java:34) Any idea what might cause this? Cheers, Reto - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: felix security: Bundle in cache doesn't pass security check anymore.
You could try to see whether it works with the current framework.security trunk. If not, please open a jira (and if possible attach some example that fails :-) regards, Karl On Mon, Feb 11, 2013 at 10:49 PM, Karl Pauls karlpa...@gmail.com wrote: Looks like a bug to me. Can you please open a jira issue and assign it to me? regards, Karl On Mon, Feb 11, 2013 at 10:01 PM, Reto Bachmann-Gmür r...@apache.orgwrote: Hello, After updating clerezza to the latest released versions of felix and felix security I'm getting the following error after a restart: ERROR: Bundle in cache doesn't pass security check anymore. (java.lang.ArrayIndexOutOfBoundsException: -1) java.lang.ArrayIndexOutOfBoundsException: -1 at org.apache.felix.framework.security.verifier.BundleDNParser.getRootChains(BundleDNParser.java:470) at org.apache.felix.framework.security.verifier.BundleDNParser._getDNChains(BundleDNParser.java:246) at org.apache.felix.framework.security.verifier.BundleDNParser.checkDNChains(BundleDNParser.java:145) at org.apache.felix.framework.SecurityProviderImpl.checkBundle(SecurityProviderImpl.java:63) at org.apache.felix.framework.Felix.setBundleProtectionDomain(Felix.java:854) at org.apache.felix.framework.Felix.init(Felix.java:805) at org.apache.felix.framework.Felix.start(Felix.java:882) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:184) at org.apache.clerezza.platform.launcher.ClerezzaApp.start(ClerezzaApp.java:167) at org.apache.clerezza.platform.launcher.Main.main(Main.java:34) Any idea what might cause this? Cheers, Reto - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Class loading issues for embedded felix within tomcat
object (the *serviceObject*) is coming from BundleWiringImpl$BundleClassLoaderJava5 Yes, of course. The bundle doesn't have access to your outer repository classes and your host doesn't have access to the bundle's repository classes. You will need to try to export the repository packages from your host app via the system bundle. Of course, this will only work if the repository bundle properly imports AND exports the repository packages. Even if it does, it is tricky and might not work if there are any uses constraint issues, but you could try. If that doesn't work, you could look into boot delegating the packages from your class path, but that is a last resort. - richard Any Idea? Regards, Itay Hindy --** --**- To unsubscribe, e-mail: users-unsubscribe@felix.**apac**he.org http://apache.org users-unsubscribe@**felix.apache.org users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Regards, Itay Hindy Software Solutions +972-54-5935042 linkedin: http://www.linkedin.com/in/**itayhindy http://www.linkedin.com/in/itayhindy --**--**- To unsubscribe, e-mail: users-unsubscribe@felix.**apache.org users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Regards, Itay Hindy Software Solutions +972-54-5935042 linkedin: http://www.linkedin.com/in/itayhindy -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Class loading issues for embedded felix within tomcat
) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Probably because in URLHandlers try { URL.setURLStreamHandlerFactory(currentFactory); } catch (Exception ex) { // Ignore, this is a best effort (maybe log it or something) } and in URL.setURLStreamHandlerFactory if (factory != null) { throw new Error(factory already defined); } 4 - When changing felix framework to 4.0.2 no errors but when trying later to use bundle.update (not in the attached example war) I get the next error: *Unable to update the bundle. (java.net.MalformedURLException: Unknown protocol: obr. *This is because inside URLHandlers class the m_streamHandlerFactory field is different between the first and second war 5 - Version 4.1.0-SNAPSHOTS gives same error as 4.0.2 6 - Attached also the java sources in the zip. Thanks a lot On Thu, Jan 3, 2013 at 11:00 AM, Karl Pauls karlpa...@gmail.com wrote: Can you make a simple example of this available to me? regards, Karl On Wed, Jan 2, 2013 at 9:21 AM, itay hindy itay.hi...@gmail.com wrote: Sorry, I had some issues and I was not clear enough. Let me summarize: 1 - I manage to run the war with the embedded felix and everything works great. 2 - I had to run the below lines in order that the ProxyServlet will pass requests to my bundle that use a servlet * //need it for the dispatcher to work* *url = this.servletContext.getResource(/WEB-INF/lib/org.apache.felix.http.bridge-2.2.0.jar); * *bundle = context.installBundle(url.toExternalForm());* *bundle.start(); * 3 - As I said everything works great with one war running in tomcat. When I try to use 2 wars side by side I get the below exception: ERROR: Bundle org.apache.felix.http.bridge [2] Error starting jndi:/localhost/itay/qa/WEB-INF/lib/org.apache.felix.http.bridge-2.2.0.jar (org.osgi.framework.BundleException: Activator start error in bundle org.apache.felix.http.bridge [2].) java.lang.LinkageError: loader constraint violation: when resolving overridden method org.apache.felix.http.base.internal.listener.AbstractListenerManager.addingService(Lorg/osgi/framework/ServiceReference;)Ljava/lang/Object; the class lo ader (instance of org/apache/felix/framework/BundleWiringImpl$BundleClassLoaderJava5) of the current class, org/apache/felix/http/base/internal/listener/AbstractListenerManager, and its superclass loader (instance of org/apache/catalina/loa der/WebappClassLoader), have different Class objects for the type org/osgi/framework/ServiceReference used in the signature at org.apache.felix.http.base.internal.HttpServiceController.init(HttpServiceController.java:76) Thanks On Tue, Jan 1, 2013 at 4:23 PM, Richard S. Hall he...@ungoverned.org wrote: On 1/1/13 06:12, itay hindy wrote: Ignore my last mail, I figure it out. It was because of activators order. Another question, I manage now to run the war that used the embedded felix. I try to execute http requests but fail on the the ProxyServlet. The DispatcherTracker has not been initialize so this.tracker.getDispatcher() returns null. How can I activate it? Sorry, I don't know what you are talking about. - richard Thanks in advance On Tue, Jan 1, 2013 at 10:10 AM, itay hindy itay.hi...@gmail.com wrote: Thanks Richard, I followed your advice and make it works. Now I have a new Issue: I try to use *bundle.update() *and I get next exception: *Caused by: java.net.**MalformedURLException: Unknown protocol: obr * When I run felix *not *embedded from tomcat everything works. I looked into it and the problem seems to be that when running embedded felix within tomcat the URLHandlersStreamHandlerProxy class is not used. The next line: *return new URL(context, obr:..., handler)* for embedded felix just tries to create url while for stand alone felix it uses the URLHandlersStreamHandlerProxy. Any Idea how to config it? On Thu, Dec 27, 2012 at 4:08 PM, Richard S. Hall he...@ungoverned.org wrote: On 12/27/12 07:25, itay hindy wrote: Hi All, I have a question about running embedded felix within tomcat. I had follow the instructions at http://felix.apache.org/site/apache-felix-framework-** http://felix.apache.org/site/**apache-felix-framework-** launching-and-embedding.htmlh**ttp://felix.apache.org/site/** apache-felix-framework-**launching-and-embedding.html http://felix.apache.org/site/apache-felix-framework-launching-and-embedding.html I manage to run felix within tomcat, however I have a problem with class loaders. Here is the scenario: 1 - My host application
Re: Class loading issues for embedded felix within tomcat
Hm, on second thought - how do you call update on the bundle? regards, Karl On Thu, Jan 3, 2013 at 3:54 PM, Karl Pauls karlpa...@gmail.com wrote: Yes, it should be possible to run more than one war with felix inside side by side without disabling url handlers. 4.0.3 had a bug in this area which should be fixed in trunk. I'll have a look why it doesn't find the obr urlhandler in the second instance. regards, Karl On Thu, Jan 3, 2013 at 2:50 PM, itay hindy itay.hi...@gmail.com wrote: Hi Karl, Attached you can found a sample war that demonstrate the problem. Putting this war (test1.war) to tomcat webapps works. Adding it again (with different name of course, test2 for example. *btw the only different between the wars must be the felix.cache.rootdir property that need to be change inside WEB-INF/framework.properties*) cause the problem. Some notes/questions: *1 - Most important: Is it possible to run multiple wars each with embedded Felix within? also each will have felix.service.urlhandlers=true? * 2 - there is not much in the war, just the next relevant lines: public void start(BundleContext context) throws Exception{ URL url = this.servletContext.getResource(/WEB-INF/lib/org.apache.felix.bundlerepository-1.6.6.jar); Bundle bundle = context.installBundle(url.toExternalForm()); bundle.start(); } 3 - The version of felix framework is 4.0.3 (last stable). When you put the war in tomcat webapps every thing works. Adding another copy of the war to tomcat webapps gives the next error: ERROR: Unable to start system bundle. (java.lang.Error: factory already defined) java.lang.Error: factory already defined at java.net.URL.setURLStreamHandlerFactory(URL.java:1077) at org.apache.felix.framework.URLHandlers.init(URLHandlers.java:178) at org.apache.felix.framework.URLHandlers.registerFrameworkInstance(URLHandlers.java:559) at org.apache.felix.framework.URLHandlersActivator.start(URLHandlersActivator.java:71) at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:645) at org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:4475) at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:645) at org.apache.felix.framework.Felix.init(Felix.java:767) at org.apache.felix.framework.Felix.start(Felix.java:816) at com.wl.tomcat.http.bridge.FrameworkService.start(FrameworkService.java:25) at com.wl.tomcat.http.bridge.StartupListener.contextInitialized(StartupListener.java:14) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4791) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5285) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:963) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1600) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) java.lang.RuntimeException: Unable to start system bundle. at org.apache.felix.framework.Felix.init(Felix.java:774) at org.apache.felix.framework.Felix.start(Felix.java:816) at com.wl.tomcat.http.bridge.FrameworkService.start(FrameworkService.java:25) at com.wl.tomcat.http.bridge.StartupListener.contextInitialized(StartupListener.java:14) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4791) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5285) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:963) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1600) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441
Re: Configuration for multiple tomcat wars each with embedded felix
did you try with the latest felix trunk? That should at least fix your urlhandlers issue... regards, Karl On Wed, Jan 2, 2013 at 4:41 PM, itay hindy itay.hi...@gmail.com wrote: Hi, I have tomcat war with embedded felix and it works great. I took it from the instructions at http://felix.apache.org/site/apache-felix-framework-launching-and-embedding.html I am trying to run now multiple wars each with felix embedded. I am having some problems: 1 - I configure *felix.cache.rootdir* for each war to be different. Is it correct? 2 - what should be the *felix.service.urlhandlers* property? When I put it *true *the first war works great and the second one fails with *Unknown protocol: obr*. This is because inside *URLHandlers *class the *m_streamHandlerFactory *field is different between the first and second war. So should * felix.service.urlhandlers* be *false*? in that case what should be the j* ava.protocol.handler.pkgs*? 3 - The next lines: *url = this.servletContext.getResource(/WEB-INF/lib/org.apache.felix.http.bridge-2.2.0.jar); * * bundle = context.installBundle(url.toExternalForm());* * bundle.start(); * works for the first war but for the second I get: ERROR: Bundle org.apache.felix.http.bridge [2] Error starting jndi:/localhost/itay/qa/WEB-INF/lib/org.apache.felix.http.bridge-2.2.0.jar (org.osgi.framework.BundleException: Activator start error in bundle org.apache.felix.http.bridge [2].) java.lang.LinkageError: loader constraint violation: when resolving overridden method org.apache.felix.http.base.internal.listener.AbstractListenerManager.addingService(Lorg/osgi/framework/ServiceReference;)Ljava/lang/Object; the class lo ader (instance of org/apache/felix/framework/BundleWiringImpl$BundleClassLoaderJava5) of the current class, org/apache/felix/http/base/internal/listener/AbstractListenerManager, and its superclass loader (instance of org/apache/catalina/loa der/WebappClassLoader), have different Class objects for the type org/osgi/framework/ServiceReference used in the signature at org.apache.felix.http.base.internal.HttpServiceController.init(HttpServiceController.java:76) Does anyone have an example for multiple wars each with felix embedded? Thanks in advance. -- Regards, Itay Hindy Software Solutions +972-54-5935042 linkedin: http://www.linkedin.com/in/itayhindy -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Configuration for multiple tomcat wars each with embedded felix
You should. Try to use the current trunk (aka, 4.1.0-SNAPSHOT) and see if that makes it work. regards, Karl On Wed, Jan 2, 2013 at 5:03 PM, itay hindy itay.hi...@gmail.com wrote: Thanks Karl, I upgraded from 4.0.2 to 4.0.3 Now I have an exception for the second war: *java.lang.Error: factory already defined *and the bundle *does not start*. Probably because in URLHandlers *try* * {* * URL.setURLStreamHandlerFactory(currentFactory);* * }* * catch (Exception ex)* * {* * // Ignore, this is a best effort (maybe log it or something)* * }* and in *URL.setURLStreamHandlerFactory* if (factory != null) { throw new Error(factory already defined); } So I can not have 2 wars both with *felix.service.urlhandlers*=true? On Wed, Jan 2, 2013 at 5:48 PM, Karl Pauls karlpa...@gmail.com wrote: did you try with the latest felix trunk? That should at least fix your urlhandlers issue... regards, Karl On Wed, Jan 2, 2013 at 4:41 PM, itay hindy itay.hi...@gmail.com wrote: Hi, I have tomcat war with embedded felix and it works great. I took it from the instructions at http://felix.apache.org/site/apache-felix-framework-launching-and-embedding.html I am trying to run now multiple wars each with felix embedded. I am having some problems: 1 - I configure *felix.cache.rootdir* for each war to be different. Is it correct? 2 - what should be the *felix.service.urlhandlers* property? When I put it *true *the first war works great and the second one fails with *Unknown protocol: obr*. This is because inside *URLHandlers *class the *m_streamHandlerFactory *field is different between the first and second war. So should * felix.service.urlhandlers* be *false*? in that case what should be the j* ava.protocol.handler.pkgs*? 3 - The next lines: *url = this.servletContext.getResource(/WEB-INF/lib/org.apache.felix.http.bridge-2.2.0.jar); * * bundle = context.installBundle(url.toExternalForm());* * bundle.start(); * works for the first war but for the second I get: ERROR: Bundle org.apache.felix.http.bridge [2] Error starting jndi:/localhost/itay/qa/WEB-INF/lib/org.apache.felix.http.bridge-2.2.0.jar (org.osgi.framework.BundleException: Activator start error in bundle org.apache.felix.http.bridge [2].) java.lang.LinkageError: loader constraint violation: when resolving overridden method org.apache.felix.http.base.internal.listener.AbstractListenerManager.addingService(Lorg/osgi/framework/ServiceReference;)Ljava/lang/Object; the class lo ader (instance of org/apache/felix/framework/BundleWiringImpl$BundleClassLoaderJava5) of the current class, org/apache/felix/http/base/internal/listener/AbstractListenerManager, and its superclass loader (instance of org/apache/catalina/loa der/WebappClassLoader), have different Class objects for the type org/osgi/framework/ServiceReference used in the signature at org.apache.felix.http.base.internal.HttpServiceController.init(HttpServiceController.java:76) Does anyone have an example for multiple wars each with felix embedded? Thanks in advance. -- Regards, Itay Hindy Software Solutions +972-54-5935042 linkedin: http://www.linkedin.com/in/itayhindy -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls -- Regards, Itay Hindy Software Solutions +972-54-5935042 linkedin: http://www.linkedin.com/in/itayhindy -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Android, boot delegation, and preverification
On Mon, Nov 26, 2012 at 6:32 PM, Keith Hughes keith.mhug...@gmail.comwrote: OK, it finally all works. What I ended up having to do is take my core bundles and just make them part of the executable rather than dynamically loaded through OSGi. Once I did this I was able to get everything running, even the dynamic part which uses OSGi. There are a lot of Android log messages warning about some pieces of code being skipped, I suspect that is the version of commons logging that I include (as well as Commons HTTP Client). The only other problem I ran into was a MalformedUrlException because http wasn't being recognized as a registered protocol. Turned out I needed to set the following property for the OSGi container: felix.service.urlhandlers = false. Did you try with the latest felix trunk? I think i have that fixed, i.e., you should not have to set it to false anymore with the current trunk In case others are interested, I ported the Interactive Spaces controller to Android. https://code.google.com/p/interactive-spaces/ I can now start up the Android controller, have it connect to the master, and deploy activities to the Android device through the IS master. This means I can use Android devices in the interactive physical space. Great. If you have the time it would be great if you write something up and contribute it so that we can put it on the felix documentation page :-) regards, Karl On Mon, Nov 19, 2012 at 3:23 PM, Karl Pauls karlpa...@gmail.com wrote: you can update bundles :-) regards, Karl On Mon, Nov 19, 2012 at 6:19 PM, Keith Hughes keith.mhug...@gmail.com wrote: One final question, Karl, and I will leave you be... for now. :-) So I do have Felix working on Android and see things starting to work with bundles being resolved and activated, which is good, so I know I can get a static container running (once I modify my jars for commons logging). Is it possible to refresh a bundle under Felix on Android so that a new version of the bundle comes in from the outside and gets itself properly setup? Or, because of the way that Dalvik works, can you only run a static OSGi container with a set of start bundles and maybe a deploy of a new bundle, but no updating an old bundle? On Mon, Nov 19, 2012 at 8:31 AM, Keith Hughes keith.mhug...@gmail.com wrote: I was thinking about that as a possibility, but am trying to avoid that as it will make my build process even worse. I am going to contact members of the Android team to see if they can suggest anything. I will respond with what they say. On Mon, Nov 19, 2012 at 3:15 AM, Karl Pauls karlpa...@gmail.com wrote: I guess you have to patch the commons-logging jar and remove the classes already provided by android, no? regards, Karl On Mon, Nov 19, 2012 at 3:05 AM, Keith Hughes keith.mhug...@gmail.com wrote: Karl, I thought I had this sorted, but apparently not. Part of the problem is that Android only supplies the Commons Logging Log interface and nothing else. If I want/need any of the other classes from the same package I am kinda doomed. I tried moving commons logging into the libs folder, but dx complains that it has the same class twice, once from my jar and I guess once from the Android runtime. Argh. Classloader problems are bad enough, but to have this as well. On Thu, Nov 1, 2012 at 2:31 AM, Karl Pauls karlpa...@gmail.com wrote: Part of your problem is that android/davlik is not Java. It doesn't follow normal Java classloading rules. Where that bites us from an OSGi pov is that you can't just substitute providers. In your case, you might be able to get things to work by removing the imports of bundles to commons logging but typically the only way to make things work is to make sure you only have one provider of a given package -- hence, I'd remove commons logging from all bundles and put it in the apk itself and have it bootdelegated. regards, Karl On Wed, Oct 31, 2012 at 11:05 PM, Keith Hughes keith.mhug...@gmail.com wrote: Hi folks, I have an Android application based on Apache Felix. Everything works fine when I run things on Linux, but as soon as I try moving to Android I run into a problem. My app uses Apache Commons Logging in all of its bundles. I have included a bundle for Apache Commons Logging as a bundle as well. When the container starts up I get the following stack trace which seems to point out that it is accessing the org/apache/commons/logging/Log in the Android system libraries
Re: Android, boot delegation, and preverification
On Mon, Nov 26, 2012 at 8:38 PM, Keith Hughes keith.mhug...@gmail.comwrote: Did you try with the latest felix trunk? I think i have that fixed, i.e., you should not have to set it to false anymore with the current trunk I have some problems running in the latest version of Felix due to some things finally being done correctly w/respect to javax classes, in particular javax.transaction. Once I sort that out I will update to the latest version of Felix. Ok, let me know if it is working for you (it should). There are a couple of fixes in trunk in regard to android so it probably makes sense for you to update :-) Great. If you have the time it would be great if you write something up and contribute it so that we can put it on the felix documentation page :-) Sure. Which page, so I can get a good idea of what to write by looking at examples? Well, there is a really old one around: http://felix.apache.org/site/apache-felix-framework-and-google-android.html but really, anything you can get together to help people that want to run on android would be really welcome :-) regards, Karl -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Android, boot delegation, and preverification
puh, no idea from the top of my head. I might have a backup somewhere but i doubt i'll find it quickly (somewhat low on time atm). A quick google did find this: http://code.google.com/p/qlibrary/source/browse/osgi/?r=202#osgi%2Ffelix%2Fluminis looks like what we had minus the shapes themselves (but they shouldn't matter much). Notice, I don't know who that is nor why or what he put there. Maybe try that and ping me back if it doesn't work :-) regards, Karl On Tue, Nov 20, 2012 at 9:48 PM, Keith Hughes keith.mhug...@gmail.comwrote: Karl, I found a slide deck of yours talking about having the shapes OSGi example running as bundles under OSGi on Android. It mentioned http://opensource.luminis.net/ to get the source for the example, but the page seems to just have the host name. Where would I find that code? Thanks, -Keith On Mon, Nov 19, 2012 at 3:23 PM, Karl Pauls karlpa...@gmail.com wrote: you can update bundles :-) regards, Karl On Mon, Nov 19, 2012 at 6:19 PM, Keith Hughes keith.mhug...@gmail.com wrote: One final question, Karl, and I will leave you be... for now. :-) So I do have Felix working on Android and see things starting to work with bundles being resolved and activated, which is good, so I know I can get a static container running (once I modify my jars for commons logging). Is it possible to refresh a bundle under Felix on Android so that a new version of the bundle comes in from the outside and gets itself properly setup? Or, because of the way that Dalvik works, can you only run a static OSGi container with a set of start bundles and maybe a deploy of a new bundle, but no updating an old bundle? On Mon, Nov 19, 2012 at 8:31 AM, Keith Hughes keith.mhug...@gmail.com wrote: I was thinking about that as a possibility, but am trying to avoid that as it will make my build process even worse. I am going to contact members of the Android team to see if they can suggest anything. I will respond with what they say. On Mon, Nov 19, 2012 at 3:15 AM, Karl Pauls karlpa...@gmail.com wrote: I guess you have to patch the commons-logging jar and remove the classes already provided by android, no? regards, Karl On Mon, Nov 19, 2012 at 3:05 AM, Keith Hughes keith.mhug...@gmail.com wrote: Karl, I thought I had this sorted, but apparently not. Part of the problem is that Android only supplies the Commons Logging Log interface and nothing else. If I want/need any of the other classes from the same package I am kinda doomed. I tried moving commons logging into the libs folder, but dx complains that it has the same class twice, once from my jar and I guess once from the Android runtime. Argh. Classloader problems are bad enough, but to have this as well. On Thu, Nov 1, 2012 at 2:31 AM, Karl Pauls karlpa...@gmail.com wrote: Part of your problem is that android/davlik is not Java. It doesn't follow normal Java classloading rules. Where that bites us from an OSGi pov is that you can't just substitute providers. In your case, you might be able to get things to work by removing the imports of bundles to commons logging but typically the only way to make things work is to make sure you only have one provider of a given package -- hence, I'd remove commons logging from all bundles and put it in the apk itself and have it bootdelegated. regards, Karl On Wed, Oct 31, 2012 at 11:05 PM, Keith Hughes keith.mhug...@gmail.com wrote: Hi folks, I have an Android application based on Apache Felix. Everything works fine when I run things on Linux, but as soon as I try moving to Android I run into a problem. My app uses Apache Commons Logging in all of its bundles. I have included a bundle for Apache Commons Logging as a bundle as well. When the container starts up I get the following stack trace which seems to point out that it is accessing the org/apache/commons/logging/Log in the Android system libraries. https://mail.google.com/mail/?view=cmfs=1tf=1source=mailtoto=users-subscr...@felix.apache.org 10-31 15:43:53.251: W/dalvikvm(5034): Class resolved by unexpected DEX: Linterac tivespaces/configuration/FileSystemConfigurationStorageManager;(0x41747380):0x64 d0b000 ref [Lorg/apache/commons/logging/Log;] Lorg/apache/commons/logging/Log;(0x417498d8):0x64d34000 10-31 15:43:53.251: W/dalvikvm(5034): (Linteractivespaces/configuration/FileSystemConfigurationStorageManager
Re: Android, boot delegation, and preverification
I guess you have to patch the commons-logging jar and remove the classes already provided by android, no? regards, Karl On Mon, Nov 19, 2012 at 3:05 AM, Keith Hughes keith.mhug...@gmail.comwrote: Karl, I thought I had this sorted, but apparently not. Part of the problem is that Android only supplies the Commons Logging Log interface and nothing else. If I want/need any of the other classes from the same package I am kinda doomed. I tried moving commons logging into the libs folder, but dx complains that it has the same class twice, once from my jar and I guess once from the Android runtime. Argh. Classloader problems are bad enough, but to have this as well. On Thu, Nov 1, 2012 at 2:31 AM, Karl Pauls karlpa...@gmail.com wrote: Part of your problem is that android/davlik is not Java. It doesn't follow normal Java classloading rules. Where that bites us from an OSGi pov is that you can't just substitute providers. In your case, you might be able to get things to work by removing the imports of bundles to commons logging but typically the only way to make things work is to make sure you only have one provider of a given package -- hence, I'd remove commons logging from all bundles and put it in the apk itself and have it bootdelegated. regards, Karl On Wed, Oct 31, 2012 at 11:05 PM, Keith Hughes keith.mhug...@gmail.com wrote: Hi folks, I have an Android application based on Apache Felix. Everything works fine when I run things on Linux, but as soon as I try moving to Android I run into a problem. My app uses Apache Commons Logging in all of its bundles. I have included a bundle for Apache Commons Logging as a bundle as well. When the container starts up I get the following stack trace which seems to point out that it is accessing the org/apache/commons/logging/Log in the Android system libraries. https://mail.google.com/mail/?view=cmfs=1tf=1source=mailtoto=users-subscr...@felix.apache.org 10-31 15:43:53.251: W/dalvikvm(5034): Class resolved by unexpected DEX: Linterac tivespaces/configuration/FileSystemConfigurationStorageManager;(0x41747380):0x64 d0b000 ref [Lorg/apache/commons/logging/Log;] Lorg/apache/commons/logging/Log;(0x417498d8):0x64d34000 10-31 15:43:53.251: W/dalvikvm(5034): (Linteractivespaces/configuration/FileSystemConfigurationStorageManager; had used a different Lorg/apache/commons/logging/Log; during pre-verification) 10-31 15:43:53.251: W/System.err(5034): Exception bootstrap/interactivespaces-system-1.2.0.jar 10-31 15:43:53.251: W/System.err(5034): org.osgi.framework.BundleException: Activator start error in bundle interactivespaces.system [24]. 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.Felix.activateBundle(Felix.java:2027) 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.Felix.startBundle(Felix.java:1895) 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:944) 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:931) 10-31 15:43:53.251: W/System.err(5034): at interactivespaces.android.service.InteractiveSpacesFrameworkAndroidBootstrap.startBundle(InteractiveSpacesFrameworkAndroidBootstrap.java:188) 10-31 15:43:53.251: W/System.err(5034): at interactivespaces.android.service.InteractiveSpacesFrameworkAndroidBootstrap.startBundles(InteractiveSpacesFrameworkAndroidBootstrap.java:173) 10-31 15:43:53.251: W/System.err(5034): at interactivespaces.android.service.InteractiveSpacesFrameworkAndroidBootstrap.boot(InteractiveSpacesFrameworkAndroidBootstrap.java:124) 10-31 15:43:53.261: W/System.err(5034): at interactivespaces.android.service.InteractiveSpacesService.onStartCommand(InteractiveSpacesService.java:67) 10-31 15:43:53.261: W/System.err(5034): at android.app.ActivityThread.handleServiceArgs(ActivityThread.java:2490) 10-31 15:43:53.261: W/System.err(5034): at android.app.ActivityThread.access$1900(ActivityThread.java:130) 10-31 15:43:53.261: W/System.err(5034): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1292) 10-31 15:43:53.261: W/System.err(5034): at android.os.Handler.dispatchMessage(Handler.java:99) 10-31 15:43:53.261: W/System.err(5034): at android.os.Looper.loop(Looper.java:137) 10-31 15:43:53.261: W/System.err(5034): at android.app.ActivityThread.main(ActivityThread.java:4745) 10-31 15:43:53.261: W/System.err(5034): at java.lang.reflect.Method.invokeNative(Native Method) 10-31 15:43:53.261: W/System.err(5034): at java.lang.reflect.Method.invoke(Method.java:511) 10-31 15:43:53.261: W/System.err(5034
Re: Android, boot delegation, and preverification
you can update bundles :-) regards, Karl On Mon, Nov 19, 2012 at 6:19 PM, Keith Hughes keith.mhug...@gmail.comwrote: One final question, Karl, and I will leave you be... for now. :-) So I do have Felix working on Android and see things starting to work with bundles being resolved and activated, which is good, so I know I can get a static container running (once I modify my jars for commons logging). Is it possible to refresh a bundle under Felix on Android so that a new version of the bundle comes in from the outside and gets itself properly setup? Or, because of the way that Dalvik works, can you only run a static OSGi container with a set of start bundles and maybe a deploy of a new bundle, but no updating an old bundle? On Mon, Nov 19, 2012 at 8:31 AM, Keith Hughes keith.mhug...@gmail.com wrote: I was thinking about that as a possibility, but am trying to avoid that as it will make my build process even worse. I am going to contact members of the Android team to see if they can suggest anything. I will respond with what they say. On Mon, Nov 19, 2012 at 3:15 AM, Karl Pauls karlpa...@gmail.com wrote: I guess you have to patch the commons-logging jar and remove the classes already provided by android, no? regards, Karl On Mon, Nov 19, 2012 at 3:05 AM, Keith Hughes keith.mhug...@gmail.com wrote: Karl, I thought I had this sorted, but apparently not. Part of the problem is that Android only supplies the Commons Logging Log interface and nothing else. If I want/need any of the other classes from the same package I am kinda doomed. I tried moving commons logging into the libs folder, but dx complains that it has the same class twice, once from my jar and I guess once from the Android runtime. Argh. Classloader problems are bad enough, but to have this as well. On Thu, Nov 1, 2012 at 2:31 AM, Karl Pauls karlpa...@gmail.com wrote: Part of your problem is that android/davlik is not Java. It doesn't follow normal Java classloading rules. Where that bites us from an OSGi pov is that you can't just substitute providers. In your case, you might be able to get things to work by removing the imports of bundles to commons logging but typically the only way to make things work is to make sure you only have one provider of a given package -- hence, I'd remove commons logging from all bundles and put it in the apk itself and have it bootdelegated. regards, Karl On Wed, Oct 31, 2012 at 11:05 PM, Keith Hughes keith.mhug...@gmail.com wrote: Hi folks, I have an Android application based on Apache Felix. Everything works fine when I run things on Linux, but as soon as I try moving to Android I run into a problem. My app uses Apache Commons Logging in all of its bundles. I have included a bundle for Apache Commons Logging as a bundle as well. When the container starts up I get the following stack trace which seems to point out that it is accessing the org/apache/commons/logging/Log in the Android system libraries. https://mail.google.com/mail/?view=cmfs=1tf=1source=mailtoto=users-subscr...@felix.apache.org 10-31 15:43:53.251: W/dalvikvm(5034): Class resolved by unexpected DEX: Linterac tivespaces/configuration/FileSystemConfigurationStorageManager;(0x41747380):0x64 d0b000 ref [Lorg/apache/commons/logging/Log;] Lorg/apache/commons/logging/Log;(0x417498d8):0x64d34000 10-31 15:43:53.251: W/dalvikvm(5034): (Linteractivespaces/configuration/FileSystemConfigurationStorageManager; had used a different Lorg/apache/commons/logging/Log; during pre-verification) 10-31 15:43:53.251: W/System.err(5034): Exception bootstrap/interactivespaces-system-1.2.0.jar 10-31 15:43:53.251: W/System.err(5034): org.osgi.framework.BundleException: Activator start error in bundle interactivespaces.system [24]. 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.Felix.activateBundle(Felix.java:2027) 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.Felix.startBundle(Felix.java:1895) 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:944) 10-31 15:43:53.251: W/System.err(5034): at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:931) 10-31 15:43:53.251: W/System.err(5034): at interactivespaces.android.service.InteractiveSpacesFrameworkAndroidBootstrap.startBundle(InteractiveSpacesFrameworkAndroidBootstrap.java:188) 10-31 15:43:53.251: W/System.err(5034): at interactivespaces.android.service.InteractiveSpacesFrameworkAndroidBootstrap.startBundles
Re: how can i give a ConfigurationPermission to a bundle to configure another bundle
If you want to use OSGi security you have to install the framework.security bundle and start the framework with a security manager set and a security policy that gives the framework allpermission. regards, Karl On Mon, Nov 12, 2012 at 1:40 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: Hi: But how I can enable the Java Security Manager for OSGi bundle's ?, I'm using Netbeans 7.1.2 and Maven 3.0.3 Thanks Lissuan.. -Original Message- From: Felix Meschberger [mailto:fmesc...@adobe.com] Sent: Wednesday, November 07, 2012 11:55 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle Hi, Am 08.11.2012 um 00:30 schrieb Lissuan Fadraga Artiles: Hi: I Have a A bundle that configure a service from another bundle B, but this rises an error like this : *ERROR* Cannot use configuration test.manejador.receptorConfig or [org.osgi.service.cm.ManagedService, id=7, bundle=3] Configuration bound to bundle file: .. I assume you are ussing the single argument method to get the configuration. Administrative bundles should actually use the two argument variant and use null for the location, e.g. config = configAdmin.getConfiguration(test.manejador.receptorConfig, null); I know that bundle A must have ConfigurationPermission to configure anothers bundles, I tried to do for the way of PermissionAdmin setPermission method but the error rises again. Somebody has any idea about how I setup security for configuring bundles, or something's that I am missing ? Unless you enabled the Java Security Manager, Permissions do not come into play here. Regards Felix Thanks Lissuan Fadraga 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: how can i give a ConfigurationPermission to a bundle to configure another bundle
try it without netbeans first maybe? :-) regards, Karl On Mon, Nov 12, 2012 at 2:02 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: I have a Netbeans OSGi bundle, and I aggregate the framework.security bundle as a project's dependency but I don't know how tells Netbeans that start the framework whit a security manager, and less where to put the security police whit the allpermission. Regards, Lissuan. -Original Message- From: Karl Pauls [mailto:karlpa...@gmail.com] Sent: Sunday, November 11, 2012 1:49 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle If you want to use OSGi security you have to install the framework.security bundle and start the framework with a security manager set and a security policy that gives the framework allpermission. regards, Karl On Mon, Nov 12, 2012 at 1:40 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: Hi: But how I can enable the Java Security Manager for OSGi bundle's ?, I'm using Netbeans 7.1.2 and Maven 3.0.3 Thanks Lissuan.. -Original Message- From: Felix Meschberger [mailto:fmesc...@adobe.com] Sent: Wednesday, November 07, 2012 11:55 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle Hi, Am 08.11.2012 um 00:30 schrieb Lissuan Fadraga Artiles: Hi: I Have a A bundle that configure a service from another bundle B, but this rises an error like this : *ERROR* Cannot use configuration test.manejador.receptorConfig or [org.osgi.service.cm.ManagedService, id=7, bundle=3] Configuration bound to bundle file: .. I assume you are ussing the single argument method to get the configuration. Administrative bundles should actually use the two argument variant and use null for the location, e.g. config = configAdmin.getConfiguration(test.manejador.receptorConfig, null); I know that bundle A must have ConfigurationPermission to configure anothers bundles, I tried to do for the way of PermissionAdmin setPermission method but the error rises again. Somebody has any idea about how I setup security for configuring bundles, or something's that I am missing ? Unless you enabled the Java Security Manager, Permissions do not come into play here. Regards Felix Thanks Lissuan Fadraga 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: how can i give a ConfigurationPermission to a bundle to configure another bundle
You have to also say: -Djava.security.policy=bin/all.police I would guess. regards, Karl On Mon, Nov 12, 2012 at 2:16 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: I put that : java -Dorg.osgi.framework.security=osgi -jar bin\felix.jar , and in the bin folder contains a all.police file whit this code : grant { permission java.security.AllPermission; }; this rises this error : Error creating bundle cache: java.security.AccesControlException:acces deniedJava.io.FilePermission .\felix-cache read What about this?.. Regards, Lissuan -Original Message- From: Karl Pauls [mailto:karlpa...@gmail.com] Sent: Sunday, November 11, 2012 2:05 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle try it without netbeans first maybe? :-) regards, Karl On Mon, Nov 12, 2012 at 2:02 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: I have a Netbeans OSGi bundle, and I aggregate the framework.security bundle as a project's dependency but I don't know how tells Netbeans that start the framework whit a security manager, and less where to put the security police whit the allpermission. Regards, Lissuan. -Original Message- From: Karl Pauls [mailto:karlpa...@gmail.com] Sent: Sunday, November 11, 2012 1:49 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle If you want to use OSGi security you have to install the framework.security bundle and start the framework with a security manager set and a security policy that gives the framework allpermission. regards, Karl On Mon, Nov 12, 2012 at 1:40 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: Hi: But how I can enable the Java Security Manager for OSGi bundle's ?, I'm using Netbeans 7.1.2 and Maven 3.0.3 Thanks Lissuan.. -Original Message- From: Felix Meschberger [mailto:fmesc...@adobe.com] Sent: Wednesday, November 07, 2012 11:55 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle Hi, Am 08.11.2012 um 00:30 schrieb Lissuan Fadraga Artiles: Hi: I Have a A bundle that configure a service from another bundle B, but this rises an error like this : *ERROR* Cannot use configuration test.manejador.receptorConfig or [org.osgi.service.cm.ManagedService, id=7, bundle=3] Configuration bound to bundle file: .. I assume you are ussing the single argument method to get the configuration. Administrative bundles should actually use the two argument variant and use null for the location, e.g. config = configAdmin.getConfiguration(test.manejador.receptorConfig, null); I know that bundle A must have ConfigurationPermission to configure anothers bundles, I tried to do for the way of PermissionAdmin setPermission method but the error rises again. Somebody has any idea about how I setup security for configuring bundles, or something's that I am missing ? Unless you enabled the Java Security Manager, Permissions do not come into play here. Regards Felix Thanks Lissuan Fadraga 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci -- -- - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls 10mo. ANIVERSARIO DE LA CREACION DE LA
Re: how can i give a ConfigurationPermission to a bundle to configure another bundle
I don't know. However, I did find this: http://wiki.netbeans.org/MavenBestPractices#Debugging.2C_running_applications regards, Karl On Mon, Nov 12, 2012 at 2:37 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: Good is work ,but how I do for integrate this whit the Netbeans? Regards Lissuan.. -Original Message- From: Karl Pauls [mailto:karlpa...@gmail.com] Sent: Sunday, November 11, 2012 2:21 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle You have to also say: -Djava.security.policy=bin/all.police I would guess. regards, Karl On Mon, Nov 12, 2012 at 2:16 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: I put that : java -Dorg.osgi.framework.security=osgi -jar bin\felix.jar , and in the bin folder contains a all.police file whit this code : grant { permission java.security.AllPermission; }; this rises this error : Error creating bundle cache: java.security.AccesControlException:acces deniedJava.io.FilePermission .\felix-cache read What about this?.. Regards, Lissuan -Original Message- From: Karl Pauls [mailto:karlpa...@gmail.com] Sent: Sunday, November 11, 2012 2:05 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle try it without netbeans first maybe? :-) regards, Karl On Mon, Nov 12, 2012 at 2:02 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: I have a Netbeans OSGi bundle, and I aggregate the framework.security bundle as a project's dependency but I don't know how tells Netbeans that start the framework whit a security manager, and less where to put the security police whit the allpermission. Regards, Lissuan. -Original Message- From: Karl Pauls [mailto:karlpa...@gmail.com] Sent: Sunday, November 11, 2012 1:49 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle If you want to use OSGi security you have to install the framework.security bundle and start the framework with a security manager set and a security policy that gives the framework allpermission. regards, Karl On Mon, Nov 12, 2012 at 1:40 AM, Lissuan Fadraga Artiles lfadr...@uci.cuwrote: Hi: But how I can enable the Java Security Manager for OSGi bundle's ?, I'm using Netbeans 7.1.2 and Maven 3.0.3 Thanks Lissuan.. -Original Message- From: Felix Meschberger [mailto:fmesc...@adobe.com] Sent: Wednesday, November 07, 2012 11:55 PM To: users@felix.apache.org Subject: Re: how can i give a ConfigurationPermission to a bundle to configure another bundle Hi, Am 08.11.2012 um 00:30 schrieb Lissuan Fadraga Artiles: Hi: I Have a A bundle that configure a service from another bundle B, but this rises an error like this : *ERROR* Cannot use configuration test.manejador.receptorConfig or [org.osgi.service.cm.ManagedService, id=7, bundle=3] Configuration bound to bundle file: .. I assume you are ussing the single argument method to get the configuration. Administrative bundles should actually use the two argument variant and use null for the location, e.g. config = configAdmin.getConfiguration(test.manejador.receptorConfig, null); I know that bundle A must have ConfigurationPermission to configure anothers bundles, I tried to do for the way of PermissionAdmin setPermission method but the error rises again. Somebody has any idea about how I setup security for configuring bundles, or something's that I am missing ? Unless you enabled the Java Security Manager, Permissions do not come into play here. Regards Felix Thanks Lissuan Fadraga 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci http://www.flickr.com/photos/universidad_uci -- -- - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- -- - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS... CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION http://www.uci.cu http://www.facebook.com/universidad.uci
Re: Permissions and 3rd party bundles
- is this normal ? Thanks, Bokie -- View this message in context: http://apache-felix.18485.n6.nabble.com/Permissions-and-3rd-party-bundles-tp5000253.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
Re: Tuning permissions
You could give your own security manager implementation that logs permissions that are requested. regards, Karl On Sun, Nov 4, 2012 at 1:00 PM, bokie jms.cer...@gmail.com wrote: I am trying to tune permissions on a 3rd party jar. With a lack of some permissions, exceptions are thrown while others just fail silently which makes it very difficult to give the bundle only the permissions it needs. Is there any way to ALWAYS get exceptions to be thrown in order to make permission tuning easier and give the bundle just the permissions it needs: (java.util.PropertyPermission propX read) instead of (java.util.PropertyPermission * read,write) Thanks, Bokie -- View this message in context: http://apache-felix.18485.n6.nabble.com/Tuning-permissions-tp5000251.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org -- Karl Pauls karlpa...@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls