On 7/26/12 21:52 , bokie wrote:
Hi,I am currently busy with a project and for this one I decided to implement security. It's been going relatively well accept for a strange issue I'm having - I'll try my best to explain it: I have four bundles; - Bundle A is "API A" - Bundle B is the "API A PROVIDER" - Bundle C is "API C" and "API C PROVIDER" and a "API A CONSUMER" - Bundle D is a "API C CONSUMER" The following permissions have been defined for each bundle - Bundle A PackagePermission "a" "exportonly" - Bundle B PackagePermission "a" "import" ServicePermission "a.S1" "register" - Bundle C PackagePermission "a" "import" PackagePermission "c" "exportonly" ServicePermission "a.S1" "get" ServicePermission "c.S2" "register" - Bundle D PackagePermission "c" "import" ServicePermission "c.S2" "get" Now for the strange part - unless I give Bundle D the ServicePermission "get" for a.S1 I can't get things to work, and NO Bundle D makes absolutely no reference to Bundle A; Bundle D is a consumer of Bundle C which in turn is a consumer of Bundle A through Bundle B's implementation. In other words, to get things to work I have to change this: - Bundle D PackagePermission "c" "import" ServicePermission "c.S2" "get" to this: - Bundle D PackagePermission "c" "import" ServicePermission "c.S2" "get" ServicePermission "a.S1" "get" Am I missing something here - cause this doesn't seem right and makes no sense?
Just a guess, but perhaps C isn't doing a doPrivileged() block when it attempts to get service a.S1, so it fails because D is on the call stack. When trying to provide controlled access to secure resources, you must use doPrivileged() blocks to short-circuit the security call stack walk, otherwise all code on the call stack is checked for having the necessary privileges...
-> richard
Thanks Bokie -- View this message in context: http://apache-felix.18485.n6.nabble.com/framework-security-tp4998719.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
