> > The fact that until some initial permissions
> > are set, the framework (by definition) have to grant AllPermission to
> > all potentially installed bundles (as BJ pointed out) is neither the
> > default nor the recommended behavior of the JVM.
>
> Not sure I agree with you here. The situation should be similar to any
> application server. You grant, via the standard Java policy, AllPermissions
> to the Framework and potentially the CPA agent. Then those can start
> establishing their own protection domain from there on.
Well, exactly this was my initial point. You can use plain Java to
define a policy for your OSGi Framework, but not (necessarily) for
your bundles. Depending on the implementation, the PD of each bundle
can ignore the policies defined in plain Java (by just not
providing/using the CodeSoure information) and subsequently Java uses
the default Java policies (no location and no certificate information
| I know at least one implementation handling it like that). So you
can't define anything based on Java policies anymore. Actually you
have to provide a policy file which looks like that:
// policy.all
grant {
permission java.security.AllPermission;
};
Starting from here, you're (pure) Java environment behaves like Java
without SecurityManager and the OSGi environment is initially allowing
everyone everything, until the first config bundle sets new
Permissions (as Ben pointed out, only for the very first start of
course, after that the already set Permissions are used).
> Fair enough. I like OSGi spec from the angle that everything up until loading
> the bundle is left outside it, since the environment can be very different
> from PDA to SetTop to Server, but it tries to be extremely precise once the
> framework is up. For me it is a good thing, because I know the implementors
> will try to excel over the others. However, it also means I need to know more
> systems, and the reason why I created "Pax Runner"[1] to let me run
> effortlessly on many frameworks.
Yes, I know about your effort and I really like it. Unfortunately not
all my FWs are supported yet...
Best Regards,
Mirko
_______________________________________________
OSGi Developer Mail List
[email protected]
http://www2.osgi.org/mailman/listinfo/osgi-dev
