On Mon, Jul 12, 2010 at 10:56 AM, Sander de Groot <[email protected]> wrote: > Okay, I've created such a bundle and am definitely on the right track. > But I do find the documentation a bit fuzzy, there are few examples to find. > > Do you have an examples of how to grant permissions? ( for example granting > allpermission to the system bundle? ) > Or even better, do you have an example of how to limit a bundles' file > permissions purely to one directory? > > This is what I have so far: > / final ConditionalPermissionAdmin cpa = > (ConditionalPermissionAdmin) > context.getService(context.getServiceReference(ConditionalPermissionAdmin.class.getName())); > > final ConditionalPermissionUpdate condPermUpdate = > cpa.newConditionalPermissionUpdate(); > final List<ConditionalPermissionInfo> permlist = > condPermUpdate.getConditionalPermissionInfos(); > > String webappdir = System.getProperty("jdi.webapps"); > System.out.println("WebAppDir: " + webappdir); > permlist.add( // add permission to the list > cpa.newConditionalPermissionInfo ( > "JDI-Webapplication-Permissions", // this should be > unique, right? so how about reloading? > new ConditionInfo[] { > new > ConditionInfo(BundleLocationCondition.class.getName(), new String[] { > webappdir + "*" > }) > }, > new PermissionInfo[] { > new PermissionInfo(AllPermission.class.getName(), "", > ""), > new PermissionInfo(FilePermission.class.getName(), > "/home/sander/", "*") > }, > "deny" > ) > ); > if ( condPermUpdate.commit() ) { > System.out.println("Commit succeeded"); > } else { > System.err.println("Commit failed"); > }/ > > Questions that arose while creating the above snippet: > - Should I remove permissions if my dedicated bundle is reloaded/stopped? > - How can I remove permissions?
Just clear the condpermupdate list and commit it. Better yet, keep a copy around and restore the previous permissions if you go away. > - Is there a bundle which translates a textfile (properties/xml or > whatsoever) so I won't have to hard-code the whole permission scheme? You could have a look at the source code for chapter14 of the OSGi in Action book. We have an example which uses a simple txt file and does what you are asking for (http://osgi-in-action.googlecode.com/svn/trunk/chapter14/combined-example - look into the org.foo.policy bundle). In general, it sounds like chapter14 might be interesting for you (the next meap update will have a more advanced example where the policy bundle is explained too). > And what about this dedicated bundle. What if this bundle is loaded after > the bundles which require specific limitations? Can I do this with the > starting levels or should I edit the config file so it will load this bundle > first? start level sound like a good idea. > After some additional research I've found that the security features of > Felix are not as mature as of Equinox. Why not? It would be nice if you could give me some indication what your research did find that makes you say that... > It also seems that the security > package provided at the felix download page won't start. Is this normal? > > / 7|Resolved | 1|Apache Felix Security Provider (1.2.0)/ Yes, its an extension bundle (they don't get started). regards, Karl > On 07/09/2010 03:43 PM, François GOICHON wrote: >> >> What you have to do is to create a dedicated bundle that will play the >> role of the permission agent. >> >> Within this bundle : >> - get the permission admin service reference >> - get the permission list >> - grant allpermission to the system bundle (bundle 0), other Felix bundles >> may need allpermission >> - grant allpermission to this permission agent bundle >> - then grant the different permissions you need to other bundles >> - commit the permission list to the permission table >> >> Then, each time a permission check occurs, the security layer will be able >> to determine whether each bundle providing each method on the call stack has >> been granted this particular permission. >> >> Actually, as the permission administration is provided as a service, any >> bundle having sufficient permissions can modify the permission table at any >> time. So yes, you can therefore add/delete and commit new permissions when >> catching some specific framework or service events. >> >> François >> >> >> Sander de Groot wrote: >>> >>> Would it be possible to create a custom bundle which listens to other >>> bundles' events and apply a specific permission scheme based on the for >>> example bundlename/location or other properties? If so how can I enforce >>> such a scheme on another bundle? >>> >>> Regards, >>> >>> Sander >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > -- Karl Pauls [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
