I see your point, but if you cannot be assured that your machine is
secure, then all bets are pretty much off anyway.
-> richard
On 3/22/12 11:20 , Guillaume Nodet wrote:
What I mean is that the URLClassloader does the check each time a resource
is loaded using the JarFile, and I think Felix should somehow do the same
in order to be secured.
On Thu, Mar 22, 2012 at 16:17, Guillaume Nodet<[email protected]> wrote:
THat's my point, it only happen at install time, which means it's not
really secured. I think it has to be done each time a class or resource is
loaded else, anyone can change the jar file in the cache folder after it
has been installed and no verification is done.
I think that's not really good, as the purpose of the security bits it to
be ... secured, and if people are willing to pay the cost of the security
manager, it has to be 100% secured imho.
On Thu, Mar 22, 2012 at 13:50, Karl Pauls<[email protected]> wrote:
The verfication is done in the security provider (only happens if
installed).
regards,
Karl
On Thu, Mar 22, 2012 at 1:24 PM, Guillaume Nodet<[email protected]>
wrote:
I'm trying to understand how Felix verify the classes signatures but I
don't see anything around that.
It seems to me that in a non OSGi environment, the classes will be
verified
by the class loader when loaded from a jar mainly because the
java.util.jar.JarFile does the signature verification when loading an
entry
(i.e. a class) from the jar file. However, Felix does not use the
JarFile
class and uses a custom ZipFile instead.
So it looks like the whole signed jars mechanism does not really work.
Am I right, or do I miss something here ?
--
------------------------
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
------------------------
FuseSource, Integration everywhere
http://fusesource.com
--
Karl Pauls
[email protected]
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
--
------------------------
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
------------------------
FuseSource, Integration everywhere
http://fusesource.com
