Felix security and Tomcat 7

[Sinkov Vladimir]

Hello!

I'm developing Web Application which should be extendable with some modules
using OSGi(Apache Felix).
Those modules should have permission restrictions that's why I need OSGi
security.
Everything worked fine when I tested it as standalone application, but when
I integrated Felix into WebApp and deployed it into Tomcat 7 strange things
started to happen(by the way it works in Jetty just fine).
The next exception appears at the start of the Framework and at the start
of the Bundle, in case of security enabled with
org.osgi.framework.security=osgi.

org.osgi.framework.BundleException: Activator start error in bundle
org.volchyn.tutorials.felix-tutorial [2].
 at org.apache.felix.framework.Felix.activateBundle(Felix.java:2204)
 at org.apache.felix.framework.Felix.startBundle(Felix.java:2072)
 at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:976)
 at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:963)
 ...
Caused by: java.lang.ClassCircularityError:
org/apache/felix/framework/security/condpermadmin/DomainGripper
 at
org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl.hasPermission(ConditionalPermiss
ionAdminImpl.java:860)
 at
org.apache.felix.framework.SecurityProviderImpl.hasBundlePermission(SecurityProviderImpl.java:123)
 at
org.apache.felix.framework.Felix.impliesBundlePermission(Felix.java:4326)
 at
org.apache.felix.framework.BundleProtectionDomain.implies(BundleProtectionDomain.java:69)
 at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:350)
 at
java.security.AccessController.checkPermission(AccessController.java:559)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
 at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
 at java.io.File.exists(File.java:808)
 at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:766)
 at
org.apache.naming.resources.FileDirContext.doLookup(FileDirContext.java:196)
 at
org.apache.naming.resources.BaseDirContext.doLookupWithoutNNFE(BaseDirContext.java:494)
 at
org.apache.naming.resources.BaseDirContext.lookup(BaseDirContext.java:475)
 at
org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:306)
 at
org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:3036)
 at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:2892)
 at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:1210)
 at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1690)
 at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
 at
org.apache.felix.framework.util.EventDispatcher.addListener(EventDispatcher.java:205)
 at org.apache.felix.framework.Felix.addServiceListener(Felix.java:3241)
 at
org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:277)
 at
org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:258)
 at tutorial.example2.Activator.start(Activator.java:46)
 at
org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1630)
 at java.security.AccessController.doPrivileged(Native Method)
 at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:636)
 at org.apache.felix.framework.Felix.activateBundle(Felix.java:2154)
 ... 18 more

After several experiments "solution" had been found. The hack is to preload
the problem classes before the start of Felix Framework and to put
org.apache.felix.framework.security Bundle into the classpath of the webapp:
Class.forName("org.apache.felix.framework.security.condpermadmin.DomainGripper");
Class.forName("org.apache.felix.framework.security.util.Permissions$1");
Class.forName("org.apache.felix.framework.security.util.Permissions$2");
Class.forName("org.osgi.framework.FrameworkListener");

Could you please help me in finding the normal solution for embedding Felix
with security into WebApp that is running under Tomcat?

Thanks!