Hi everybody, forgive my ignorance…
Maybe it’s not a right place to ask, but traffic seems to be light..
What is the state of security in post-SecurityManager world? Will signed
bundles be supported by Karaf?
Best regards,
Pavel
> On 20 Sep 2024, at 20:26, Jean-Baptiste Onofré <[email protected]> wrote:
>
> Hi Chaz,
>
> Thanks for the report, I will take a look and let you know.
>
> About osgi-security, I think there's already a JDK21+ bundle
> available. I have to check as well.
>
> Regards
> JB
>
> On Wed, Sep 18, 2024 at 9:16 PM <[email protected]> wrote:
>>
>> Hello,
>>
>> The permissions.perm file packaged with felix configadmin 1.9.26 and tested
>> on latest Karaf is missing RuntimePermission/PropertyPermission
>>
>> java.security.AccessControlException: access denied
>> ("java.lang.RuntimePermission"
>> "getenv.ORG_APACHE_FELIX_FILEINSTALL_DEPLOY_FELIX_FILEINSTALL_ACTIVE_LEVEL")
>> java.security.AccessControlException: access denied
>> ("java.lang.RuntimePermission"
>> "getenv.ORG_OPS4J_PAX_URL_MVN_FELIX_FILEINSTALL_FILENAME")
>> java.security.AccessControlException: access denied
>> ("java.lang.RuntimePermission" "getenv.ORG_OPS4J_PAX_LOGGING_COLOR_DEBUG")
>>
>> There are similar for those 3 with PropertyPermission.
>>
>> The following changes to permissions.perm fixes the issue:
>>
>> # Environment/Property Support
>> (java.lang.RuntimePermission "*" "getenv.*")
>> (java.util.PropertyPermission "*" "read")
>>
>> This is one of, if not the only, bundle in Karaf distrib i've seen with a
>> permissions.perm file.
>>
>> You can confirm this issue by enabling osgi security and installing
>> framework-security on felix or running equinox (enabled by default).
>>
>> A more general question:
>>
>> Is there a plan for osgi-security past JDK17? I'm planning to use it to
>> verify JARs are signed from the proper groups before hot-deploying.
>>
>> --
>> Chaz
