We have done more work in this area but have run into an issue. We
implemented our own instance of an
org.apache.felix.fileinstall.ArtifactInstaller that verifies the jar is
properly signed before doing the installation. The Felix FileInstall
instance picks up our class and calls it at the correct time. So far so
good.
The problem we have is that unsigned jars can still be installed. Our
ArtifactInstaller may only install signed jars, but the built in installers
are not so picky. Unfortunately the other installers are in the same bundle
as the FileInstall class itself. We can't just stop the bundle, because if
we do that our ArtifactInstaller never gets called. So you either have the
FileInstall, the ArtifactInstaller interface, and all the default
installers, or you have none of it.
We have opted to work around this disabling the entire Felix file install
bundle and creating our own bundle that does a similar thing. It monitors a
directory for a jar file and installs it if it is properly signed. It will
uninstall it if the file is removed. For our use case, it is an acceptable
byproduct that installation of kar, xml, and config files are no longer
allowed.
For future generations, a bundle can be installed easily from a file on
disk. You end up using the *installBundle* method on the *BundleContext
*object. Here is some example code that utilizes DS (declarative services).
@component
public class MyClass
{
@Activate
public void activate (BundleContext bc) throws Exception
{
String path = "/some/path/to/a/file.jar";
File f = new File(path);
InputStream stream = new FileInputStream(f);
Bundle b = bc.installBundle(path, stream);
System.out.println("Installed bundle "+b.getBundleId());
}
}
--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html
