Re: Please help in enabling security

Mon, 24 Nov 2008 02:10:16 -0800 

Dear Karl, dear Pierre,

Thanks for the prompt reply.
I will try Karl's suggestion.

Best regards
Hasan

Karl Pauls wrote:

Hello Hasan,

the framework needs allpermission. That is what the OSGi specification
requires. It might be possible to limit it to specific permissions but
it wouldn't be much left. Now, when the framework has allpermissions
that doesn't have to imply that bundles have allpermissions as well.
However, at the moment that is the case if you use the standard felix
only. What you would have to do is to use the PermissionAdmin service
or the ConditionalPermissionAdmin service to set the permissions for a
bundle.

Problem is, we don't have released versions of the two services. We do
have some implementations in trunk but they are in an alpha state. In
case you want to give it a try: build the framework.security
subproject (in trunk/framework.security) and install the resulting
artifact as a bundle into felix. That will make the two services
available. See the core spec for how to use them.

regards,

Karl

On Mon, Nov 24, 2008 at 10:50 AM, Hasan <[EMAIL PROTECTED]> wrote:

Thanks Pierre,

My intention is just to give as many permissions as necessary to felix, but
not all.
Thus, I assume there must be a way to define permissions for felix so that
it can install
a new bundle without throwing exceptions. Since, if I gave felix all
permissions there
is no such exception thrown.

Kind regards
Hasan

Pierre Parrend wrote:

Dear Hassan,

with the permissions, you have to define a specific URL Handler for the
http protocol. See the class org.apache.felix.framework.URLHandlers (from my
memory, the name may be slighty different) for examples for other protocols.

I have an implementation on another computer, you should manage to adapt
the code yourself, otherwise I can look for my old code.

best regards,
Pierre

Hasan wrote:

Dear Pierre, dear all

Thanks for the file. I use and modify your file (see below). With this
policy file
however, I cannot install a new bundle. It throwed
java.net.MalformedURLException:

Welcome to Felix.
=================

-> install
http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
java.net.MalformedURLException: Unknown protocol: http

What must be added to the policy file so that it works? Thanks in advance
for answering.

-- BEGIN of my additional policy file used when starting felix-1.4.0 --
grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
  permission java.util.PropertyPermission "*", "read,write";
  permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/conf/*",
"read";
  permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-",
"read,write,delete";

//    permission java.io.FilePermission "${user.home}/-",
"read,write,delete";
  permission java.io.FilePermission "bundle.lastmodified", "read";
  permission java.io.FilePermission "bundle/*", "read";

  permission java.io.FilePermission "./felix-cache", "read,write";
  permission java.io.FilePermission "./felix-cache/-",
"read,write,delete";

  permission java.net.NetPermission "specifyStreamHandler";
//    permission java.net.SocketPermission "*", "resolve, connect";
  permission java.net.SocketPermission "*",
"accept,connect,listen,resolve";

  permission java.lang.RuntimePermission "createSecurityManager";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.lang.RuntimePermission "setFactory";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "shutdownHooks";

  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

  permission org.osgi.framework.AdminPermission "*", "lifecycle";
  permission org.osgi.framework.AdminPermission "*", "metadata";
  permission org.osgi.framework.AdminPermission "*", "listener";
  permission org.osgi.framework.AdminPermission "*", "execute";
  permission org.osgi.framework.AdminPermission "*", "startlevel";
  permission org.osgi.framework.AdminPermission "*",
"extensionLifecycle";

  permission org.osgi.framework.PackagePermission "*", "export,import";
  permission org.osgi.framework.ServicePermission "*", "register,get";
};

-- END of my additional policy file used when starting felix-1.4.0 --

Kind regards
Hasan

Pierre Parrend wrote:

 Dear Hasan, dear all,

here is a permission file which I used some times ago. You need to adapt
it
to your own configuration, and probably to update it to match the
current
state of the Felix implementation:

grant codeBase "file:$FELIX_HOME/-" {

   permission java.util.PropertyPermission "*", "read,write";
   permission java.io.FilePermission "$FELIX_HOME/main/conf/*", "read";

   permission java.io.FilePermission "$USER_HOME/-",
"read,write,delete";
   permission java.io.FilePermission "bundle.lastmodified", "read";
   permission java.io.FilePermission "bundle/*", "read";

   permission java.net.NetPermission "specifyStreamHandler";
   permission java.net.SocketPermission "*", "resolve, connect";

   permission java.lang.RuntimePermission "createSecurityManager";
   permission java.lang.RuntimePermission "getProtectionDomain";
   permission java.lang.RuntimePermission "setFactory";
   permission java.lang.RuntimePermission "createClassLoader";
   permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
   permission java.lang.RuntimePermission "accessDeclaredMembers";
   permission java.lang.RuntimePermission "shutdownHooks";

   permission java.lang.reflect.ReflectPermission
"suppressAccessChecks";

   permission org.osgi.framework.AdminPermission "*", "lifecycle";
   permission org.osgi.framework.AdminPermission "*", "metadata";
   permission org.osgi.framework.AdminPermission "*", "listener";
   permission org.osgi.framework.AdminPermission "*", "execute";

   permission org.osgi.framework.PackagePermission "*", "export";
   permission org.osgi.framework.ServicePermission "*", "register, get";
};

When reading the file, I wonder while the PackagePermission is set to
'export' only, and do not include 'import'. If you get errors you should
add
it simply.

best regards,
Pierre

--
==============================================================
Pierre Parrend
Software Engineering (SE)
Tel: +49 721 9654 - 620
Fax: +49 721 9654 - 623
E-Mail: [EMAIL PROTECTED]

==============================================================

FZI Forschungszentrum Informatik an der Universität Karlsruhe
Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959

Stiftung des bürgerlichen Rechts
Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe

Vorstand:
Prof. Dr.-Ing. Rüdiger Dillmann
Dipl. Wi.-Ing. Michael Flor
Prof. Dr. Dr.-Ing. Jivka Ovtcharova
Prof. Dr. rer. nat. Rudi Studer

Vorsitzender des Kuratoriums:
Ministerialdirigent Günther Leßnerkraus

==============================================================



-----Original Message-----
From: Hasan [mailto:[EMAIL PROTECTED]
Sent: Wed 11/19/2008 11:36 AM
To: [email protected]
Subject: Re: Please help in enabling security
 Hi again,

If I put the following line in all.policy
grant { permission java.security.AllPermission; };

then I can start felix successfully.
I hope this solve my problem starting felix with security enabled.

Note, that in the slide set "Building Secure OSGi Applications"
the line reads as follows which I think is wrong:
grant { permission java.lang.AllPermission };

Regards
Hasan

Hasan wrote:


Dear all

We would like to use osgi security mechanism (conditional permission
admin) and thus
are trying to enable security when invoking felix (version 1.4.0) as
follows

$ java -Djava.security.manager -Djava.security.policy=all.policy -jar
bin/felix.jar

There were some AccessControlException which we could fix by adapting
java.policy file
In the end however, we got a NullPointerException as shown below.

-- BEGIN OF FELIX ERROR MESSAGE --
Welcome to Felix.
=================

ERROR: Unable to start system bundle. (java.lang.NullPointerException:
Specified service reference cannot be null.)
java.lang.NullPointerException: Specified service reference cannot be
null.
  at


org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja
va:320)

  at


org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java
:77)

  at org.apache.felix.main.AutoActivator.start(AutoActivator.java:55)
  at


org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
071)

  at java.security.AccessController.doPrivileged(Native Method)
  at


org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
a:580)

  at


org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761
)

  at


org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
071)

  at java.security.AccessController.doPrivileged(Native Method)
  at


org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
a:580)

  at org.apache.felix.framework.Felix.init(Felix.java:849)
  at org.apache.felix.framework.Felix.start(Felix.java:881)
  at org.apache.felix.main.Main.main(Main.java:213)
Could not create framework: java.lang.RuntimeException: Unable to start
system bundle.
java.lang.RuntimeException: Unable to start system bundle.
  at org.apache.felix.framework.Felix.init(Felix.java:857)
  at org.apache.felix.framework.Felix.start(Felix.java:881)
  at org.apache.felix.main.Main.main(Main.java:213)

-- END OF FELIX ERROR MESSAGE --

Any help and tips to enable security and solve this problem is highly
appreciated.

Kind regards
Hasan



--
--trialox ag--------------------------------------

 Hasan Hasan
 Binzmühlestrasse 14
 CH-8050 Zürich
 Tel: 0041-44-63 57577
 Fax: 0041-44-63 57574
 URL: http://www.trialox.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








--
--trialox ag--------------------------------------

 Hasan Hasan
 Binzmühlestrasse 14
 CH-8050 Zürich
 Tel: 0041-44-63 57577
 Fax: 0041-44-63 57574
 URL: http://www.trialox.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to