On Wed, Jul 14, 2010 at 4:49 PM, Sander de Groot <[email protected]> wrote:
> Despite of all my attempts I unfortunately still haven't solved my case.
> Its true that everything is denied by default, however is it also true that
> all relevant permissions have to be positive to allow the action?
The order o the rules is important. If a rule is found which allows
the required permission and has all its conditions satisfied the
action is permitted (i.e., no other rules are evaluated) otherwise the
next rule is evaluated until there either is no more rule or we hit a
deny rule that matches the permission (a matching and satisfied deny
rule allways terminates).
> For instance: I can't say deny everything but allow 'this'.
Right, but you can say allow this and deny everything (again, order is
significant).
> And if there are other conflicting permissions, OSGi will deny the action,
> right?
Not shure what "other conflicting permissions" are in this case...
> My case is as follows:
> I've got a large amount of bundles of which I want an unspecified amount of
> bundles from a specific directory to be limited in permissions.
>
> I'm currently using a policy file which represents PermissionInfo's and
> ConditionInfo's. I'm just not sure on how to use variables in the filters.
> It doesn't work but it does show want I'm aiming for.
>
> DENY {
> # Only apply the rule if the bundle comes from this dir
> [ org.osgi.service.condpermadmin.BundleLocationCondition
> "${felix.root}/webapps/-" ]
> ( java.io.FilePermission "!(/specific/path/${bundle.propertyX}/-)" "*")
> } "Deny all access to files"
> ALLOW {
> # If the bundle does NOT come form this specific dir
> [ org.osgi.service.condpermadmin.BundleLocationCondition
> "${felix.root}/webapps/-" "!" ]
> ( java.security.AllPermission "*" "*")
> } "Allow everything else"
>
> Rules:
> - Every bundle except bundles from directory '${felix.root}/webapps/-' have
> allpermissions
> - Bundles from '${felix.root}/webapps/-' only have access to dir:
> '/specific/path/${bundle.propertyX}/-' nothing more
>
> Is it possible to do this without creating new Condition classes? If not,
> what's the best way to get the requested result?
This will not work:
[ org.osgi.service.condpermadmin.BundleLocationCondition
"${felix.root}/webapps/-" ]
try:
[ org.osgi.service.condpermadmin.BundleLocationCondition
"${felix.root}/webapps/*" ]
(obviously, you can't use ${felix.root} out of the box...
What is the problem you have? Its hard for me to see what could be
going wrong because of your "properties" i don't understand but are
you sure this is correct:
java.io.FilePermission "!(/specific/path/${bundle.propertyX}/-)" "*")
Why is there a "!" in there and what is ${bundle.propertyX)?
regards,
Karl
>
> On 07/12/2010 11:57 AM, François GOICHON wrote:
>>
>> Hi,
>>
>> For the practical part:
>>>
>>> Do you have an examples of how to grant permissions? ( for example
>>> granting allpermission to the system bundle? )
>>
>> This is exactly what the sample code in the other thread does.
>>>
>>> Or even better, do you have an example of how to limit a bundles' file
>>> permissions purely to one directory?
>>
>> permlist.add(cpa.newConditionalPermissionInfo(null,
>> new ConditionInfo[]{ new
>> ConditionInfo(BundleLocationCondition.class.getName(), new String[]{ "file:"
>> + webappdir + "*" }) },
>> new PermissionInfo[]{ new
>> PermissionInfo(FilePermission.class.getName(), "myDirectory/-",
>> "read,write") },
>> "allow"));
>>
>> In your example code you use the deny action but, by default, everything
>> is denied and you can add permissions. "Deny" can be used to restrict
>> existing permissions. For example, denying a specific permission in
>> allpermission, or allowing to read any file, but those from a specific
>> directory.
>>
>> Regards,
>>
>> François
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
--
Karl Pauls
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
