Hello,
I am dusting off some code and looking to use Conditional Permission
Admin (CPA) to ensure all bundles running have been signed. The way to do
this in the past was to 'feature:install framework-security', or in my case,
add the following to startup.properties after packaging a custom
distribution:
mvn\:org.apache.felix/org.apache.felix.framework.security/2.8.4 = 1
I also have my own bundle that acts a a management agent and installs a
CPA security policy to only install bundles that have been signed by me
(after normal startup) denying everything else:
DENY {
( java.security.AllPermission "*" "*")
} "default deny"
ALLOW {
[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=test ]
( java.security.AllPermission "*" "*")
} "allow test"
I've created a truststore and enabled the following system properties:
java.security.policy=${karaf.etc}/all.policy
org.osgi.framework.security=osgi
org.osgi.framework.trust.repositories=${karaf.etc}/truststore.ks
System startup fails I received the following message:
The Security Manager is deprecated and will be removed in a future release
I understand that the Java SecurityManager is slated for removal, but
how will this impact OSGi CPA? Is there no way for me to use the
BundleSignerCondition to check that bundles have been signed before
installed/starting? Or is this a limitation with the current
implementation of Apache Felix framework-security? Are there plans to
still support CPA that doesn't rely on the SecurityManager?
--
V/r,
Charlie
