Hello Hasan,
if you read your exception stack you will see that you need to add
following permission:
org.osgi.framework.AdminPermission (id=0) metadata
Have you done so ?
pierre
Hasan wrote:
Dear Karl
We have built the framework.security and installed it as a bundle.
Additionally, we have written two bundles: TestBundle and
PermissionManager.
The TestBundle is supposed to be able to create a file if the
PermissionManager
sets the required Permissions.
We use scr to bind the ConditionalPermissionAdmin service in the
PermissionManager.
However, we already got errors when we install and start
PermissionManager.
(the command services in felix listed no service and the command ps in
felix said
StartLevel service is unavailable).
Could you please advice what we may have done wrong? what we have to
do before
we may define permissions?
Please find below the contents of PermissionManager and the output of
felix session.
The contents of PermissionManager:
----------------------------------
package org.example.permmgmt;
import java.io.FilePermission;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.condpermadmin.BundleLocationCondition;
import org.osgi.service.condpermadmin.ConditionInfo;
import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
import org.osgi.service.permissionadmin.PermissionInfo;
/**
*
* @scr.component
* @scr.reference name="conditionalPermissionAdmin"
* cardinality="0..n" policy="dynamic"
*
interface="org.osgi.service.condpermadmin.ConditionalPermissionAdmin"
*
*/
public class PermissionManager {
private ConditionalPermissionAdmin cpa;
protected void activate(ComponentContext context) throws Exception {
System.out.println("Activating PermissionManager");
if (cpa == null) {
System.out.println("No ConditionalPermissionAdmin service");
return;
}
cpa.addConditionalPermissionInfo(
new ConditionInfo[]{
new ConditionInfo(
BundleLocationCondition.class.getName(),
new
String[]{"file:/home/hasan/workspaces/testbundle1/target/testbundle1-1.0-SNAPSHOT.jar"})
},
new PermissionInfo[]{
new PermissionInfo(
FilePermission.class.getName(), "helloWorld.txt",
"write")
});
System.out.println("cpi added");
}
protected void
bindConditionalPermissionAdmin(ConditionalPermissionAdmin cpa) {
System.out.println("Binding ConditionalPermissionAdmin");
this.cpa = cpa;
}
protected void
unbindConditionalPermissionAdmin(ConditionalPermissionAdmin cpa) {
this.cpa = null;
}
}
And the output of felix:
------------------------
Welcome to Felix.
=================
-> ps
START LEVEL 1
ID State Level Name
[ 0] [Active ] [ 0] System Bundle (1.4.0)
[ 1] [Active ] [ 1] Apache Felix Shell Service (1.0.2)
[ 2] [Active ] [ 1] Apache Felix Shell TUI (1.0.2)
[ 3] [Active ] [ 1] Apache Felix Bundle Repository (1.2.1)
-> start
http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
-> start
file:///home/hasan/workspaces/framework.security/target/org.apache.felix.framework.security-0.9.0-SNAPSHOT.jar
-> ps
START LEVEL 1
ID State Level Name
[ 0] [Active ] [ 0] System Bundle (1.4.0)
[ 1] [Active ] [ 1] Apache Felix Shell Service (1.0.2)
[ 2] [Active ] [ 1] Apache Felix Shell TUI (1.0.2)
[ 3] [Active ] [ 1] Apache Felix Bundle Repository (1.2.1)
[ 4] [Active ] [ 1] Apache Felix Declarative Services (1.0.6)
[ 5] [Resolved ] [ 1] Apache Felix Security Provider
(0.9.0.SNAPSHOT)
-> services
System Bundle (0) provides:
---------------------------
org.osgi.service.startlevel.StartLevel
org.osgi.service.packageadmin.PackageAdmin
org.osgi.service.permissionadmin.PermissionAdmin
org.osgi.service.condpermadmin.ConditionalPermissionAdmin
Apache Felix Shell Service (1) provides:
----------------------------------------
org.apache.felix.shell.ShellService,
org.ungoverned.osgi.service.shell.ShellService
Apache Felix Bundle Repository (3) provides:
--------------------------------------------
org.osgi.service.obr.RepositoryAdmin
Apache Felix Declarative Services (4) provides:
-----------------------------------------------
org.apache.felix.scr.ScrService
-> start
file:///home/hasan/workspaces/permmgmtagent/target/permmgmt-1.0-SNAPSHOT.jar
-> Binding ConditionalPermissionAdmin
Activating PermissionManager
-> services
-> ps
StartLevel service is unavailable.
ID State Name
ShellTui: java.security.AccessControlException: access denied
(org.osgi.framework.AdminPermission (id=0) metadata)
java.security.AccessControlException: access denied
(org.osgi.framework.AdminPermission (id=0) metadata)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at
java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at org.apache.felix.framework.Felix.getHeaders(Felix.java:480)
at org.apache.felix.framework.Felix.getHeaders(Felix.java:471)
at
org.apache.felix.shell.impl.PsCommandImpl.execute(PsCommandImpl.java:128)
at
org.apache.felix.shell.impl.Activator$ExecutePrivileged.run(Activator.java:365)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.felix.shell.impl.Activator$ShellServiceImpl.executeCommand(Activator.java:264)
at
org.apache.felix.shell.tui.Activator$ShellTuiRunnable.run(Activator.java:167)
at java.lang.Thread.run(Thread.java:619)
Thanks and kind regards
Hasan
Hasan wrote:
Dear Karl, dear Pierre,
Thanks for the prompt reply.
I will try Karl's suggestion.
Best regards
Hasan
Karl Pauls wrote:
Hello Hasan,
the framework needs allpermission. That is what the OSGi specification
requires. It might be possible to limit it to specific permissions but
it wouldn't be much left. Now, when the framework has allpermissions
that doesn't have to imply that bundles have allpermissions as well.
However, at the moment that is the case if you use the standard felix
only. What you would have to do is to use the PermissionAdmin service
or the ConditionalPermissionAdmin service to set the permissions for a
bundle.
Problem is, we don't have released versions of the two services. We do
have some implementations in trunk but they are in an alpha state. In
case you want to give it a try: build the framework.security
subproject (in trunk/framework.security) and install the resulting
artifact as a bundle into felix. That will make the two services
available. See the core spec for how to use them.
regards,
Karl
On Mon, Nov 24, 2008 at 10:50 AM, Hasan <[EMAIL PROTECTED]> wrote:
Thanks Pierre,
My intention is just to give as many permissions as necessary to
felix, but
not all.
Thus, I assume there must be a way to define permissions for felix
so that
it can install
a new bundle without throwing exceptions. Since, if I gave felix all
permissions there
is no such exception thrown.
Kind regards
Hasan
Pierre Parrend wrote:
Dear Hassan,
with the permissions, you have to define a specific URL Handler
for the
http protocol. See the class
org.apache.felix.framework.URLHandlers (from my
memory, the name may be slighty different) for examples for other
protocols.
I have an implementation on another computer, you should manage to
adapt
the code yourself, otherwise I can look for my old code.
best regards,
Pierre
Hasan wrote:
Dear Pierre, dear all
Thanks for the file. I use and modify your file (see below). With
this
policy file
however, I cannot install a new bundle. It throwed
java.net.MalformedURLException:
Welcome to Felix.
=================
-> install
http://mirror.switch.ch/mirror/apache/dist/felix/org.apache.felix.scr-1.0.6.jar
java.net.MalformedURLException: Unknown protocol: http
What must be added to the policy file so that it works? Thanks in
advance
for answering.
-- BEGIN of my additional policy file used when starting
felix-1.4.0 --
grant codeBase "file:${user.home}/sw/felix-1.4.0/-" {
permission java.util.PropertyPermission "*", "read,write";
permission java.io.FilePermission
"${user.home}/sw/felix-1.4.0/conf/*",
"read";
permission java.io.FilePermission "${user.home}/sw/felix-1.4.0/-",
"read,write,delete";
// permission java.io.FilePermission "${user.home}/-",
"read,write,delete";
permission java.io.FilePermission "bundle.lastmodified", "read";
permission java.io.FilePermission "bundle/*", "read";
permission java.io.FilePermission "./felix-cache", "read,write";
permission java.io.FilePermission "./felix-cache/-",
"read,write,delete";
permission java.net.NetPermission "specifyStreamHandler";
// permission java.net.SocketPermission "*", "resolve, connect";
permission java.net.SocketPermission "*",
"accept,connect,listen,resolve";
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.reflect.ReflectPermission
"suppressAccessChecks";
permission org.osgi.framework.AdminPermission "*", "lifecycle";
permission org.osgi.framework.AdminPermission "*", "metadata";
permission org.osgi.framework.AdminPermission "*", "listener";
permission org.osgi.framework.AdminPermission "*", "execute";
permission org.osgi.framework.AdminPermission "*", "startlevel";
permission org.osgi.framework.AdminPermission "*",
"extensionLifecycle";
permission org.osgi.framework.PackagePermission "*",
"export,import";
permission org.osgi.framework.ServicePermission "*",
"register,get";
};
-- END of my additional policy file used when starting
felix-1.4.0 --
Kind regards
Hasan
Pierre Parrend wrote:
Dear Hasan, dear all,
here is a permission file which I used some times ago. You need
to adapt
it
to your own configuration, and probably to update it to match the
current
state of the Felix implementation:
grant codeBase "file:$FELIX_HOME/-" {
permission java.util.PropertyPermission "*", "read,write";
permission java.io.FilePermission "$FELIX_HOME/main/conf/*",
"read";
permission java.io.FilePermission "$USER_HOME/-",
"read,write,delete";
permission java.io.FilePermission "bundle.lastmodified", "read";
permission java.io.FilePermission "bundle/*", "read";
permission java.net.NetPermission "specifyStreamHandler";
permission java.net.SocketPermission "*", "resolve, connect";
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.reflect.ReflectPermission
"suppressAccessChecks";
permission org.osgi.framework.AdminPermission "*", "lifecycle";
permission org.osgi.framework.AdminPermission "*", "metadata";
permission org.osgi.framework.AdminPermission "*", "listener";
permission org.osgi.framework.AdminPermission "*", "execute";
permission org.osgi.framework.PackagePermission "*", "export";
permission org.osgi.framework.ServicePermission "*",
"register, get";
};
When reading the file, I wonder while the PackagePermission is
set to
'export' only, and do not include 'import'. If you get errors
you should
add
it simply.
best regards,
Pierre
--
==============================================================
Pierre Parrend
Software Engineering (SE)
Tel: +49 721 9654 - 620
Fax: +49 721 9654 - 623
E-Mail: [EMAIL PROTECTED]
==============================================================
FZI Forschungszentrum Informatik an der Universität Karlsruhe
Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959
Stiftung des bürgerlichen Rechts
Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe
Vorstand:
Prof. Dr.-Ing. Rüdiger Dillmann
Dipl. Wi.-Ing. Michael Flor
Prof. Dr. Dr.-Ing. Jivka Ovtcharova
Prof. Dr. rer. nat. Rudi Studer
Vorsitzender des Kuratoriums:
Ministerialdirigent Günther Leßnerkraus
==============================================================
-----Original Message-----
From: Hasan [mailto:[EMAIL PROTECTED]
Sent: Wed 11/19/2008 11:36 AM
To: [email protected]
Subject: Re: Please help in enabling security
Hi again,
If I put the following line in all.policy
grant { permission java.security.AllPermission; };
then I can start felix successfully.
I hope this solve my problem starting felix with security enabled.
Note, that in the slide set "Building Secure OSGi Applications"
the line reads as follows which I think is wrong:
grant { permission java.lang.AllPermission };
Regards
Hasan
Hasan wrote:
Dear all
We would like to use osgi security mechanism (conditional
permission
admin) and thus
are trying to enable security when invoking felix (version
1.4.0) as
follows
$ java -Djava.security.manager
-Djava.security.policy=all.policy -jar
bin/felix.jar
There were some AccessControlException which we could fix by
adapting
java.policy file
In the end however, we got a NullPointerException as shown below.
-- BEGIN OF FELIX ERROR MESSAGE --
Welcome to Felix.
=================
ERROR: Unable to start system bundle.
(java.lang.NullPointerException:
Specified service reference cannot be null.)
java.lang.NullPointerException: Specified service reference
cannot be
null.
at
org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.ja
va:320)
at
org.apache.felix.main.AutoActivator.processAutoProperties(AutoActivator.java
:77)
at
org.apache.felix.main.AutoActivator.start(AutoActivator.java:55)
at
org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
071)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
a:580)
at
org.apache.felix.framework.Felix$SystemBundleActivator.start(Felix.java:3761
)
at
org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1
071)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.jav
a:580)
at org.apache.felix.framework.Felix.init(Felix.java:849)
at org.apache.felix.framework.Felix.start(Felix.java:881)
at org.apache.felix.main.Main.main(Main.java:213)
Could not create framework: java.lang.RuntimeException: Unable
to start
system bundle.
java.lang.RuntimeException: Unable to start system bundle.
at org.apache.felix.framework.Felix.init(Felix.java:857)
at org.apache.felix.framework.Felix.start(Felix.java:881)
at org.apache.felix.main.Main.main(Main.java:213)
-- END OF FELIX ERROR MESSAGE --
Any help and tips to enable security and solve this problem is
highly
appreciated.
Kind regards
Hasan
--
--trialox ag--------------------------------------
Hasan Hasan
Binzmühlestrasse 14
CH-8050 Zürich
Tel: 0041-44-63 57577
Fax: 0041-44-63 57574
URL: http://www.trialox.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
==============================================================
Pierre Parrend
Software Engineering (SE)
Tel: +49 721 9654 - 620
Fax: +49 721 9654 - 623
E-Mail: [EMAIL PROTECTED]
==============================================================
FZI Forschungszentrum Informatik an der Universität Karlsruhe
Haid-und-Neu-Str. 10-14, 76131 Karlsruhe
Tel.: +49 721 9654 - 0, Fax: +49 721 9654 - 959
Stiftung des bürgerlichen Rechts
Stiftung Az: 14-0563.1 Regierungspräsidium Karlsruhe
Vorstand:
Prof. Dr.-Ing. Rüdiger Dillmann
Dipl. Wi.-Ing. Michael Flor
Prof. Dr. Dr.-Ing. Jivka Ovtcharova
Prof. Dr. rer. nat. Rudi Studer
Vorsitzender des Kuratoriums:
Ministerialdirigent Günther Leßnerkraus
==============================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
