Dear all,
I was looking for something similar to grant for given principal authorized by
JAAS login module in OSGi world. I thought that ConditionalPermissionaAdmin
(CPM) will be solution of my problems, however it failed to cover the scenario.
I have very simple code to test security layer using standard Java mechanism.
My JAAS configuration:
Unix {
com.sun.security.auth.module.UnixLoginModule required;
};
Policy configuration:
grant Principal com.sun.security.auth.UnixPrincipal "workshop" {
permission java.io.FilePermission "file.txt", "read";
};
This example allows to open "file.txt" when JVM is launch by user "workshop".
There are many examples, where this may be used and unix principal is used just
because it doesn't have any external dependencies. With this kind of
configuration I may grant access to given permissions using given principal
(GroupPrincipal "admin" to administer bundle states for example).
I launched my example under Felix 4.x with Felix Security 2.0.1. However, what
I have observed - seems that OSGI-INF/permissions.perm must have following
syntax:
(permissionClass "resource", "action")
I had following OSGI-INF/permissions.perm file:
ALLOW {
[com.example.PrincipalPermission "admin"]
(java.io.FIlePermission "file.txt", "read")
} "read file by admin group"
I have login module which is capable to verify user credentials and perform
authentication. My code is executed with Subject.doAsPrivileged(subject,
action, null). I haven't tried that with Equinox yet.
Another thing is usage of AccessControllContext inside custom permissions - it
causes stack overflow (I use
Subject.getSubject(AccessController.getContext())). I don't know how to avoid
that since my custom permission must obtain Subject instance to obtain given
permissions but it doesn't have access to subject instance. I don't want hack
with ThreadLocals since it will break compability with JAAS layer used by many
libraries.
Did you ever got something like this running with CPM? If so, please share tips
with me.
Cheers,
Lukasz
--
Apache Karaf Commiter
http://dywicki.pl
_______________________________________________
OSGi Developer Mail List
osgi-dev@mail.osgi.org
https://mail.osgi.org/mailman/listinfo/osgi-dev
