how are you trying to use the DENY or ALLOW syntax? regards,
Karl On Fri, Oct 8, 2010 at 9:13 AM, Achim Nierbeck <[email protected]> wrote: > I now tried two ways of configuring security within the karaf server. One > taking equinox, after setting the right properties and the policy file it > did work. With Felix I think I do have an issue, I used the latest Karaf > version from SVN with Felix 3.0.3 and added the security bundle. If I list > the available bundles I do see that the security bundle is resolved but > shouldn't the framework-bundle (felix in this case) import the security > bundle as a fragment? Because this didn't work and a refresh on bundle 0 > causes the Karaf to crash :( > Still I do get the security to work but I'm not able to use the DENY or > ALLOW syntax. BTW. is there some documentation about the security bundle > available I just found some hints in older mailing threads. > Right now I have to configure every Security Constraint I wan't to enable > just to skip this one java.security.Runtime exitVM :( > > > 2010/10/4 Guillaume Nodet <[email protected]> > >> The karaf shutdown does not call system.exit(), it >> calls getBundleContext().getBundle(0).stop() which is way cleaner in osgi. >> The system.exit() is only called by the Main class that launches the >> framework, so if permissions are configured on bundles, it should be ok, >> since the launcher is outside the osgi framework. >> >> On Mon, Oct 4, 2010 at 15:06, Achim Nierbeck <[email protected] >> >wrote: >> >> > Hi, thanks for the first answer, you are right I don't have a lot of osgi >> > security knowledge. >> > One thing though that crosses my mind about your first solution. If I use >> > the apache Karaf as runtime container how would this affect the >> "shutdown" >> > command of the console? >> > >> > Thanks, Achim >> > >> > 2010/10/4 Karl Pauls <[email protected]> >> > >> > > I guess there are several ways to do this but the most portable one >> > > should be to start with security enabled (and in felix case - the >> > > framework.security bundle installed). From there, you could specify a >> > > policy that gives allpermission but has a deny on System.Exit. >> > > >> > > Assuming you don't have a lot of osgi security knowledge I can try to >> > > write a more detailed mail about how to do this tonight... >> > > >> > > regards, >> > > >> > > Karl >> > > >> > > On Mon, Oct 4, 2010 at 12:45 PM, Achim Nierbeck < >> [email protected] >> > > >> > > wrote: >> > > > Hi, >> > > > >> > > > I asked this question in the karaf user mailing list but they told me >> > > this >> > > > would be the better place to ask :) >> > > > I have a special Problem I would like to solve with the >> SecurityManger. >> > > But >> > > > first the Problem I'm facing: >> > > > I have a bundle containing a third party legacy library I have to >> use. >> > > > This Library does call system.Exit(?) if it looses it's connection to >> a >> > > > corresponding server. >> > > > I know that this is really bad (actually mean) but the quickest way >> of >> > > > shipping around this problem is using a service wrapper which does a >> > > > restart. >> > > > But this is not a nice way of doing especially this system.exit >> forces >> > a >> > > > hard shutdown :( >> > > > So I googled around and found that there is one solution for this, >> use >> > a >> > > > security manager which disallows System.Exit. >> > > > Now the tricky part, how do I specify a securityManager just for this >> > > bundle >> > > > preventing it from using System.Exit? >> > > > >> > > > Thank you in Advance :) >> > > > >> > > >> > > >> > > >> > > -- >> > > Karl Pauls >> > > [email protected] >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: [email protected] >> > > For additional commands, e-mail: [email protected] >> > > >> > > >> > >> >> >> >> -- >> Cheers, >> Guillaume Nodet >> ------------------------ >> Blog: http://gnodet.blogspot.com/ >> ------------------------ >> Open Source SOA >> http://fusesource.com >> > -- Karl Pauls [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
