[jira] [Commented] (FELIX-5911) [Configurator] request FilePermission <>

Wed, 26 Sep 2018 05:45:05 -0700 


    [ 
https://issues.apache.org/jira/browse/FELIX-5911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16628697#comment-16628697
 ] 

Timothy Ward commented on FELIX-5911:
-------------------------------------

This permission request seems wrong. By default the OSGi framework should grant 
access to the bundle storage area ([see the security section in the core 
specification 
title|[https://osgi.org/specification/osgi.core/7.0.0/framework.security.html#framework.security.impliedpermissions]).]
 I'm not sure why the bundle should need to request other file permissions at 
all.

 

I would also really like to see reflection removed as it really shouldn't be 
necessary. The bundle is in complete control of the serialization, so I'm not 
sure why it hasn't been written purely using DataInput/DataOutput. There aren't 
any cycles, and none of the default serialisation behaviour is in use. To my 
mind this could (and should) all be re-implemented without any need for 
reflection, even while maintaining backward compatibility with existing saved 
data.

 

Finally, the additional permissions needed when the "configurator.initial" 
property is set need to be granted by the person launching the framework. They 
know that they have set security on, and what they have sent the 
configurator.initial property to. The Configurator bundle shouldn't be opening 
up the base options for this.

> [Configurator] request FilePermission <<ALL FILES>>
> ---------------------------------------------------
>
>                 Key: FELIX-5911
>                 URL: https://issues.apache.org/jira/browse/FELIX-5911
>             Project: Felix
>          Issue Type: Bug
>          Components: Configurator
>    Affects Versions: configurator-1.0.4, configurator-1.0.6
>            Reporter: Christoph Nölle
>            Assignee: Carsten Ziegeler
>            Priority: Major
>             Fix For: configurator-1.0.8
>
>
> Configurator currently requests
> (java.io.FilePermission "-" "read,write,execute,delete")
> in its permissions.perm file (the "-" means all files and subfolders within 
> and below the current working dir). However, the bundle tries to access files 
> in the bundle storage area as well, whose location we cannot anticipate here. 
> It can be configured by means of a framework property, for instance. The 
> correct permission would be
> (java.io.FilePermission "<<ALL FILES>>" "read,write,execute,delete") 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to