Despite of all my attempts I unfortunately still haven't solved my case.
Its true that everything is denied by default, however is it also true
that all relevant permissions have to be positive to allow the action?
For instance: I can't say deny everything but allow 'this'. And if there
are other conflicting permissions, OSGi will deny the action, right?
My case is as follows:
I've got a large amount of bundles of which I want an unspecified
amount of bundles from a specific directory to be limited in permissions.
I'm currently using a policy file which represents PermissionInfo's and
ConditionInfo's. I'm just not sure on how to use variables in the
filters. It doesn't work but it does show want I'm aiming for.
DENY {
# Only apply the rule if the bundle comes from this dir
[ org.osgi.service.condpermadmin.BundleLocationCondition
"${felix.root}/webapps/-" ]
( java.io.FilePermission "!(/specific/path/${bundle.propertyX}/-)" "*")
} "Deny all access to files"
ALLOW {
# If the bundle does NOT come form this specific dir
[ org.osgi.service.condpermadmin.BundleLocationCondition "${felix.root}/webapps/-"
"!" ]
( java.security.AllPermission "*" "*")
} "Allow everything else"
Rules:
- Every bundle except bundles from directory '${felix.root}/webapps/-'
have allpermissions
- Bundles from '${felix.root}/webapps/-' only have access to dir:
'/specific/path/${bundle.propertyX}/-' nothing more
Is it possible to do this without creating new Condition classes? If
not, what's the best way to get the requested result?
On 07/12/2010 11:57 AM, François GOICHON wrote:
Hi,
For the practical part:
Do you have an examples of how to grant permissions? ( for example
granting allpermission to the system bundle? )
This is exactly what the sample code in the other thread does.
Or even better, do you have an example of how to limit a bundles'
file permissions purely to one directory?
permlist.add(cpa.newConditionalPermissionInfo(null,
new ConditionInfo[]{ new
ConditionInfo(BundleLocationCondition.class.getName(), new String[]{
"file:" + webappdir + "*" }) },
new PermissionInfo[]{ new
PermissionInfo(FilePermission.class.getName(), "myDirectory/-",
"read,write") },
"allow"));
In your example code you use the deny action but, by default,
everything is denied and you can add permissions. "Deny" can be used
to restrict existing permissions. For example, denying a specific
permission in allpermission, or allowing to read any file, but those
from a specific directory.
Regards,
François
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
