[
https://issues.apache.org/jira/browse/FELIX-5148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15589049#comment-15589049
]
Paolo Antinori commented on FELIX-5148:
---------------------------------------
ah, yes, sorry. I made a mess with the reproducer script. I wasn't enabling the
policy file, it's correct now
Anyhow the problem is still there for me.
{code}
17:23:10 (..apache-karaf-4.0.7)$
EXTRA_JAVA_OPTS="-Djava.security.debug=failure,domain" bin/karaf
Exception in thread "CM Configuration Updater"
java.security.AccessControlException: access denied
("org.osgi.framework.AdaptPermission"
"org.osgi.framework.wiring.BundleRevision" "adapt")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:685)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
org.apache.felix.framework.BundleImpl.checkAdapt(BundleImpl.java:1087)
at org.apache.felix.framework.BundleImpl.adapt(BundleImpl.java:1096)
at
org.ops4j.pax.logging.service.internal.PaxLoggerImpl.setDelegateContext(PaxLoggerImpl.java:102)
at
org.ops4j.pax.logging.service.internal.PaxLoggerImpl.error(PaxLoggerImpl.java:193)
at
org.ops4j.pax.logging.service.internal.PaxLoggingServiceImpl.log(PaxLoggingServiceImpl.java:161)
at
org.ops4j.pax.logging.service.internal.PaxLoggingServiceImpl.access$000(PaxLoggingServiceImpl.java:48)
at
org.ops4j.pax.logging.service.internal.PaxLoggingServiceImpl$1ManagedPaxLoggingService.log(PaxLoggingServiceImpl.java:346)
at
org.apache.felix.cm.impl.ConfigurationManager.log(ConfigurationManager.java:1250)
at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:114)
at java.lang.Thread.run(Thread.java:745)
{code}
despite I am actually able to access Karaf shell.
Full invocation here:
https://paste.fedoraproject.org/455722/47689083/
{code}
17:27:54 (..apache-karaf-4.0.7)$ grep -rHin security etc/system.properties
etc/system.properties:125:# Security properties
etc/system.properties:127:# To enable OSGi security, uncomment the properties
below,
etc/system.properties:128:# install the framework-security feature and restart.
etc/system.properties:130:java.security.policy=${karaf.etc}/all.policy
etc/system.properties:131:org.osgi.framework.security=osgi
{code}
> Framework Security unusable
> ---------------------------
>
> Key: FELIX-5148
> URL: https://issues.apache.org/jira/browse/FELIX-5148
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin, Framework Security
> Affects Versions: framework.security-2.4.0, configadmin-1.8.0
> Reporter: Oliver Lietz
> Assignee: Karl Pauls
> Attachments: FELIX-5148.site.patch,
> FELIX-5148.sling-launchpad-builder.patch
>
>
> While fixing an issue with Sling and RMI (SLING-5375) reported by an user I
> came across an issue (KARAF-3400) reported by [~achim_nierbeck] for Karaf
> related to framework security.
> There is also an issue with [Sling's own OSGi launcher
> Launchpad|https://svn.apache.org/viewvc/sling/trunk/launchpad/builder/] and
> framework security when using {{org.apache.felix.configadmin}} >= {{1.8.0}}.
> {{all.policy}}:
> {noformat}
> grant {
> permission java.security.AllPermission;
> };
> {noformat}
> Adding {{org.apache.felix/org.apache.felix.framework.security/2.4.0}} to
> {{boot.txt}} and starting with arguments described on [Framework Security's
> page|http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html]
> (which looks broken) and
> [{{-Djava.security.manager}}|http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc6.html]
> ([Building Secure OSGi
> Applications|http://de.slideshare.net/marrs/building-secure-osgi-applications])
> throws a {{java.security.AccessControlException}}:
> {noformat}
> java -Djava.security.manager -Djava.security.policy="all.policy"
> -Dorg.osgi.framework.security="osgi" -jar
> org.apache.sling.launchpad-9-SNAPSHOT.jar
> {noformat}
> {noformat}
> [...]
> [...] *ERROR* [FelixStartLevel] ERROR: Error starting
> slinginstall:org.apache.felix.configadmin-1.8.0.jar
> (java.security.AccessControlException: access denied
> ("java.io.FilePermission" "/[...]/sling/config" "read"))
> java.security.AccessControlException: access denied ("java.io.FilePermission"
> "/[...]/sling/config" "read")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.security.AccessController.checkPermission(AccessController.java:884)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> at java.io.File.isDirectory(File.java:844)
> at
> org.apache.felix.cm.file.FilePersistenceManager.<init>(FilePersistenceManager.java:342)
> at
> org.apache.felix.cm.impl.ConfigurationManager.start(ConfigurationManager.java:244)
> at
> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1709)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:688)
> at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
> at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
> at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
> at
> org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
> at java.lang.Thread.run(Thread.java:745)
> [...]
> {noformat}
> I had to remove OSGi Subsystems support from {{boot.txt}} when using
> {{org.apache.felix.configadmin}} {{1.6}}:
> {noformat}
> org.apache.felix/org.apache.felix.coordinator/1.0.0
> org.eclipse.equinox/org.eclipse.equinox.region/1.2.101.v20150831-1342
> org.apache.aries.subsystem/org.apache.aries.subsystem.api/2.0.6
> org.apache.aries.subsystem/org.apache.aries.subsystem.core/2.0.6
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
