On 9/16/09 16:57, Karl Pauls wrote:
On Wed, Sep 16, 2009 at 4:51 PM, Guido Spadotto<[email protected]> wrote:
Richard S. Hall wrote:
On 9/16/09 11:58, Karl Pauls wrote:
On Wed, Sep 16, 2009 at 11:51 AM, Guido Spadotto<[email protected]>
wrote:
I'd like to make framework interfaces visible only to specific
bundles/components of the framework environment I'm writing (and whose
bundles I am in full
control of), whilst 3p interfaces will be exported as usual (i.e. no
restrictions on
their visibility).
The Question: is there an easy/correct way of achieving this in OSGi ?
I guess you are looking for security. Have a look at the
ConditionalPermissionAdmin and the related permissions defined by
OSGi.
As Karl says, there is no real way to do this other than security.
Otherwise, you could try to approximate it with mandatory attributes. In the
future, the spec could address such use cases (e.g., through composite
bundles, so you could create a subsystem), but even then the only way to get
guarantees is with security and granting permissions.
-> richard
Thanks Karl and Richard,
I'm studying the Conditional Permission Admin Spec.
If I got it right, I should write a custom condition that distinguishes
between framework and 3rd Party
bundles and - based on that - gets enabled or not.
Once I have that condition, I can use it to grant these permissions
ServicePermission[FQN_Of_FW_Interface,GET ] and
PackagePermission[FQN_Of_FW_Package,IMPORT]
to Framework Bundles.
3rd Party services, that is all services contained in bundles
that do not satisfy my custom condition, will not be able to
import my FW packages, or get FW services.
Yup, that is correct. Alternatively, you could use different
certificates for each domain (framwork and 3rd) and sign the bundles
with the certificate of the domain they belong too. This way you could
use the BundleSignerCondtion instead of your custom condition. If
signing is not an option you can go with the custom condition
approach.
The new R4.2 spec adds more fine-grained support to PackagePermission,
so I believe it will be possible to grant bundle X permission to import
foo from bundle Y. Of course, we don't yet implement that feature.
-> richard
regards,
Karl
Richard, what do you mean by "approximating with mandatory attributes" ?
Please correct/extend my thoughts if you see I'm wrong.
--
Guido Spadotto
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
