Could you try with a different Permission? My guess right now would be that
you/we are running into a very special case but for that to be true, I
would expect that your setup should work correctly with any other
permission...
regards,
Karl
On Fri, Jan 8, 2016 at 4:57 PM, Simon <simon-pob...@outlook.com> wrote:
> Hello, I have done my tests on the Java runtimes; "1.7.0_71" and
> "1.8.0_25",
> and Felix "felix-framework-5.4.0". I have enabled security by adding
> "org.apache.felix.framework.security-2.4.0" to the bundle directory.
>
> I have then created three projects; "p1-check", "p1-policy" and the
> offending bundle "p1-evil" (I'll attach all code). My scenario is as
> follows; /I do not want p1-evil to connect to the Internet/. However in
> p1-evil Activator I placed some code that makes a request to google and
> prints the response.
>
> The p1-check bundle has only one condition; MyCheck.java. The
> /isSatisfied()/ method of MyCheck returns /true/ if the bundle symbolic
> name
> is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
>
> This is meant to be used with the following security rule (can be found in
> security.policy)
>
> /
> DENY {
> [com.p1.check.MyCheck]
> ( java.net.SocketPermission "*" "connect" )
> } "MyCheck"
> /
>
> (note: I also tried "connect,resolve", still does not work on java 1.8)
>
> When I execute felix.jar with *java 1.7* I can see the logs from p1-check
> and as expected p1-evil does not connect and I get an exception
> [java.security.AccessControlException: access denied
> ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
>
> When I execute felix.jar with *java 1.8* I can see the logs from p1-check
> however p1-evil activator is still allowed to connect to google.
>
> I have tried this on two different machines and I got the same results. Am
> I
> doing something wrong? Or there is something I do not know?
>
> felix-framework-5.zip
> <
> http://apache-felix.18485.x6.nabble.com/file/n5016167/felix-framework-5.zip
> >
> p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/p1.zip>
>
>
>
> --
> View this message in context:
> http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>
>
--
Karl Pauls
karlpa...@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
