Glad I can maybe do something useful for the list here, because I
spent some time experimenting with
org.apache.felix.framework.security.
I'm now using this framework in an application (called xbundle) to
ensure all osgi bundles are signed.
I start Felix with the following VM args
org.osgi.framework.security="osgi"
java.security.policy=xbundle.policy
felix.keystore=file:xbundle.jks
felix.keystore.type=jks
felix.keystore.pass=passwd
osgi.signedcontent.support=all
xbundle.policy has:
grant {
permission java.security.AllPermission;
};
In config.properties I see that I have set:
org.framework.extensions=org.apache.felix.framework.security
Then I write a bundle with an Activator which does:
public void start(BundleContext context) {
ServiceReference<ConditionalPermissionAdmin> ref =
context.getServiceReference(ConditionalPermissionAdmin.class);
ConditionalPermissionAdmin admin = context.getService(ref);
ConditionalPermissionUpdate update = admin.newConditionalPermissionUpdate();
List<ConditionalPermissionInfo> infos = update.getConditionalPermissionInfos();
infos.add(admin.newConditionalPermissionInfo(
"Signed Bundles",
new ConditionInfo[]
{
new
ConditionInfo(BundleSignerCondition.class.getName(), new String[]
{
"CN=XBundle, O=XBundle, STREET=XBundle House,
STREET=Placename, L=Town, ST=County, OID.2.5.4.17=Postcode, C=GB ; -"
})
},
new PermissionInfo[]
{
new PermissionInfo(AllPermission.class.getName(), "*", "*"),
},
ConditionalPermissionInfo.ALLOW));
update.commit();
}
I start this bundle at run level 1 together with
org.apache.felix.framework.security-2.4.0.jar
Seems to work OK to check that all bundle jars are signed.
Robert
On Fri, Apr 15, 2016 at 6:41 AM, Paul F Fraser <pa...@a2zliving.com> wrote:
> Hi,
>
> Any of the tutorial/slideshare/examples etc. I could find are very old.
>
> Is OSGi security being used currently or is there a new preferred approach?
>
> When attempting to use the felix framework security bundle it is unclear
> what happens with the jvm security manager.
> From
> http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html
> it seems that a securitymanager is not necessary.
> If the felix bundle is used without setting a security manager
> System.getSecurityManager() returns null.
> Is it intended that the felix bundle needs a security manager set?
>
> Any assistance in this area, which seems to be bypassed by many OSGi
> developers, would be most appreciated.
>
> Regards
> Paul Fraser
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
> For additional commands, e-mail: users-h...@felix.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org
