Dear all, I was looking for something similar to grant for given principal authorized by JAAS login module in OSGi world. I thought that ConditionalPermissionaAdmin (CPM) will be solution of my problems, however it failed to cover the scenario.
I have very simple code to test security layer using standard Java mechanism. My JAAS configuration: Unix { com.sun.security.auth.module.UnixLoginModule required; }; Policy configuration: grant Principal com.sun.security.auth.UnixPrincipal "workshop" { permission java.io.FilePermission "file.txt", "read"; }; This example allows to open "file.txt" when JVM is launch by user "workshop". There are many examples, where this may be used and unix principal is used just because it doesn't have any external dependencies. With this kind of configuration I may grant access to given permissions using given principal (GroupPrincipal "admin" to administer bundle states for example). I launched my example under Felix 4.x with Felix Security 2.0.1. However, what I have observed - seems that OSGI-INF/permissions.perm must have following syntax: (permissionClass "resource", "action") I had following OSGI-INF/permissions.perm file: ALLOW { [com.example.PrincipalPermission "admin"] (java.io.FIlePermission "file.txt", "read") } "read file by admin group" I have login module which is capable to verify user credentials and perform authentication. My code is executed with Subject.doAsPrivileged(subject, action, null). I haven't tried that with Equinox yet. Another thing is usage of AccessControllContext inside custom permissions - it causes stack overflow (I use Subject.getSubject(AccessController.getContext())). I don't know how to avoid that since my custom permission must obtain Subject instance to obtain given permissions but it doesn't have access to subject instance. I don't want hack with ThreadLocals since it will break compability with JAAS layer used by many libraries. Did you ever got something like this running with CPM? If so, please share tips with me. Cheers, Lukasz -- Apache Karaf Commiter http://dywicki.pl _______________________________________________ OSGi Developer Mail List osgi-dev@mail.osgi.org https://mail.osgi.org/mailman/listinfo/osgi-dev