Re: Please help in enabling security

Mon, 24 Nov 2008 01:56:41 -0800 


Dear Hasan,
to enable permissions you need to define these URLHandlers since the security manager triggers their use. Maybe there are specific permissions which enable not to rely on these URLHandlers, but I do not know them. The aim of my own implementation was also just to be able to restrict the permissions granted to the code, nothing else. 

best regards,

Pierre

Hasan wrote:

Thanks Pierre,
My intention is just to give as many permissions as necessary to felix, but not all. Thus, I assume there must be a way to define permissions for felix so that it can install a new bundle without throwing exceptions. Since, if I gave felix all permissions there 
is no such exception thrown.

Kind regards
Hasan

Pierre Parrend wrote:


Dear Hassan,
with the permissions, you have to define a specific URL Handler for the http protocol. See the class org.apache.felix.framework.URLHandlers (from my memory, the name may be slighty different) for examples for other protocols.
I have an implementation on another computer, you should manage to adapt the code yourself, otherwise I can look for my old code. 

best regards,
Pierre

Hasan wrote:

Dear Pierre, dear all
Thanks for the file. I use and modify your file (see below). With this policy file however, I cannot install a new bundle. It throwed java.net.MalformedURLException: 

Welcome to Felix.
=================
-> install http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar 
java.net.MalformedURLException: Unknown protocol: http
What must be added to the policy file so that it works? Thanks in advance for answering. 

-- BEGIN of my additional policy file used when starting felix-1.4.0 --
grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
   permission java.util.PropertyPermission "*", "read,write";
permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/conf/*", "read"; permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-", "read,write,delete";
// permission java.io.FilePermission "${user.home}/-", "read,write,delete"; 
   permission java.io.FilePermission "bundle.lastmodified", "read";
   permission java.io.FilePermission "bundle/*", "read";

   permission java.io.FilePermission "./felix-cache", "read,write";
permission java.io.FilePermission "./felix-cache/-", "read,write,delete"; 

   permission java.net.NetPermission "specifyStreamHandler";
//    permission java.net.SocketPermission "*", "resolve, connect";
permission java.net.SocketPermission "*", "accept,connect,listen,resolve"; 

   permission java.lang.RuntimePermission "createSecurityManager";
   permission java.lang.RuntimePermission "getProtectionDomain";
   permission java.lang.RuntimePermission "setFactory";
   permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; 
   permission java.lang.RuntimePermission "accessDeclaredMembers";
   permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; 

   permission org.osgi.framework.AdminPermission "*", "lifecycle";
   permission org.osgi.framework.AdminPermission "*", "metadata";
   permission org.osgi.framework.AdminPermission "*", "listener";
   permission org.osgi.framework.AdminPermission "*", "execute";
   permission org.osgi.framework.AdminPermission "*", "startlevel";
permission org.osgi.framework.AdminPermission "*", "extensionLifecycle";
permission org.osgi.framework.PackagePermission "*", "export,import"; 
   permission org.osgi.framework.ServicePermission "*", "register,get";
};

-- END of my additional policy file used when starting felix-1.4.0 --

Kind regards
Hasan

Pierre Parrend wrote:

 Dear Hasan, dear all,
here is a permission file which I used some times ago. You need to adapt it to your own configuration, and probably to update it to match the current 
state of the Felix implementation:

grant codeBase "file:$FELIX_HOME/-" {

    permission java.util.PropertyPermission "*", "read,write";
permission java.io.FilePermission "$FELIX_HOME/main/conf/*", "read";
permission java.io.FilePermission "$USER_HOME/-", "read,write,delete"; 
    permission java.io.FilePermission "bundle.lastmodified", "read";
    permission java.io.FilePermission "bundle/*", "read";

    permission java.net.NetPermission "specifyStreamHandler";
    permission java.net.SocketPermission "*", "resolve, connect";

    permission java.lang.RuntimePermission "createSecurityManager";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "setFactory";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; 

    permission org.osgi.framework.AdminPermission "*", "lifecycle";
    permission org.osgi.framework.AdminPermission "*", "metadata";
    permission org.osgi.framework.AdminPermission "*", "listener";
    permission org.osgi.framework.AdminPermission "*", "execute";

    permission org.osgi.framework.PackagePermission "*", "export";
permission org.osgi.framework.ServicePermission "*", "register, get"; 
};

When reading the file, I wonder while the PackagePermission is set to
'export' only, and do not include 'import'. If you get errors you should add 
it simply.

best regards,
Pierre

--
==============================================================
Pierre Parrend
Software Engineering (SE)
Tel: +49 721 9654 - 620
Fax: +49 721 9654 - 623
E-Mail: [EMAIL PROTECTED]

==============================================================

FZI Forschungszentrum Informatik an der Universität Karlsruhe
Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959

Stiftung des bürgerlichen Rechts
Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe

Vorstand:
Prof. Dr.-Ing. Rüdiger Dillmann
Dipl. Wi.-Ing. Michael Flor
Prof. Dr. Dr.-Ing. Jivka Ovtcharova
Prof. Dr. rer. nat. Rudi Studer

Vorsitzender des Kuratoriums:
Ministerialdirigent Günther Leßnerkraus

==============================================================



-----Original Message-----
From: Hasan [mailto:[EMAIL PROTECTED]
Sent: Wed 11/19/2008 11:36 AM
To: [email protected]
Subject: Re: Please help in enabling security
Hi again, 

If I put the following line in all.policy
grant { permission java.security.AllPermission; };

then I can start felix successfully.
I hope this solve my problem starting felix with security enabled.

Note, that in the slide set "Building Secure OSGi Applications"
the line reads as follows which I think is wrong:
grant { permission java.lang.AllPermission };

Regards
Hasan

Hasan wrote:

Dear all
We would like to use osgi security mechanism (conditional permission admin) and thus are trying to enable security when invoking felix (version 1.4.0) as follows
$ java -Djava.security.manager -Djava.security.policy=all.policy -jar bin/felix.jar
There were some AccessControlException which we could fix by adapting java.policy file 
In the end however, we got a NullPointerException as shown below.

-- BEGIN OF FELIX ERROR MESSAGE --
Welcome to Felix.
=================
ERROR: Unable to start system bundle. (java.lang.NullPointerException: Specified service reference cannot be null.) java.lang.NullPointerException: Specified service reference cannot be null. 
   at
org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja 
va:320)

   at
org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java 
:77)
at org.apache.felix.main.AutoActivator.start(AutoActivator.java:55) 
   at
org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1 
071)

   at java.security.AccessController.doPrivileged(Native Method)
   at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav 
a:580)

   at
org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761 
)

   at
org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1 
071)

   at java.security.AccessController.doPrivileged(Native Method)
   at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav 
a:580)

   at org.apache.felix.framework.Felix.init(Felix.java:849)
   at org.apache.felix.framework.Felix.start(Felix.java:881)
   at org.apache.felix.main.Main.main(Main.java:213)
Could not create framework: java.lang.RuntimeException: Unable to start system bundle. 
java.lang.RuntimeException: Unable to start system bundle.
   at org.apache.felix.framework.Felix.init(Felix.java:857)
   at org.apache.felix.framework.Felix.start(Felix.java:881)
   at org.apache.felix.main.Main.main(Main.java:213)

-- END OF FELIX ERROR MESSAGE --
Any help and tips to enable security and solve this problem is highly appreciated. 

Kind regards
Hasan











--
==============================================================
Pierre Parrend
Software Engineering (SE)
Tel: +49 721 9654 - 620
Fax: +49 721 9654 - 623
E-Mail: [EMAIL PROTECTED]

==============================================================

FZI Forschungszentrum Informatik an der Universität Karlsruhe
Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959

Stiftung des bürgerlichen Rechts
Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe

Vorstand:
Prof. Dr.-Ing. Rüdiger Dillmann
Dipl. Wi.-Ing. Michael Flor
Prof. Dr. Dr.-Ing. Jivka Ovtcharova
Prof. Dr. rer. nat. Rudi Studer

Vorsitzender des Kuratoriums:
Ministerialdirigent Günther Leßnerkraus

==============================================================



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to