Re: [Architecture] OSG level security

Thanks all for the responses...! On Mon, Feb 16, 2015 at 9:54 AM, Harshan Liyanage wrote: > Hi, > > I also agree with Aruna's point. We have to trust the admin users who has > physical access to the system. If those users are malicious users, they can > even bring the entire system down if they

Re: [Architecture] OSG level security

Hi, I also agree with Aruna's point. We have to trust the admin users who has physical access to the system. If those users are malicious users, they can even bring the entire system down if they want. In such cases I believe that we don't have anything to do. Thanks, Lakshitha Harshan Software

Re: [Architecture] OSG level security

On Fri, Feb 13, 2015 at 9:39 PM, Godwin Amila Shrimal wrote: > Hi, > > Since most of the hacking/fraud happens from the internally this topic > just came to my mind, Our carbon products don't have OSGI level security, > As an example, If someone internally in the company knows OSGI then can > wri

Re: [Architecture] OSG level security

Hi All, Thanks for all responses, I'll explain a scenario via an example. If we take an system like online banking, We are using Symmetric/Asymmetric encryption, HSM, SmartCard etc to enhance the security. They are not even saving the hash password in the Database. If an intruder deploy an OSGI bu

Re: [Architecture] OSG level security

Hi Goodwin I think only devops have access to a production environment who can do such intrude and we trust devops. Because if we don't trust them we can do nothing. If someone else accidentally try this I think java security could prevent these assuming that bundle is not signed. If it is signed a

Re: [Architecture] OSG level security

Hi Imesh, Yes , as you said, it is no avoidable if it is going to the dropping. But my question is, do we need to address this, because it is like doing attack him self who has access to the system. *Harsha Thirimanna* Senior Software Engineer; WSO2, Inc.; http://wso2.com *

Re: [Architecture] OSG level security

A good point Godwin! If an intruder get admin access to a host that runs a mission crtical server, he/she could anyway damage the system very badly. However I think you have a point. We use secure wallet to encrypt all the system passwords to avoid even an admin user getting access to the server.

Re: [Architecture] OSG level security

Hi Godwin, Then again whom should have permissions to do such changes? I mean we are allowing users to write their own components and extend our products. So in that sense on whom should we rely on to do such changes? Do you mean to say we should have different role for that scenario? Thanks. On

Re: [Architecture] OSG level security

Hi Chinthana, Well, if its non admin user it's like impossible to deploy an OSGI bundle, what I thought is, can we totally rely on the admin user in a real mission critical applications ? Thanks Godwin On Saturday, February 14, 2015, Chintana Wilamuna wrote: > How can a non admin user deploy

Re: [Architecture] OSG level security

How can a non admin user deploy an OSGi bundle? -Chintana On Fri, Feb 13, 2015 at 8:09 AM, Godwin Amila Shrimal wrote: > Hi, > > Since most of the hacking/fraud happens from the internally this topic > just came to my mind, Our carbon products don't have OSGI level security, > As an example

[Architecture] OSG level security

Hi, Since most of the hacking/fraud happens from the internally this topic just came to my mind, Our carbon products don't have OSGI level security, As an example, If someone internally in the company knows OSGI then can write an OSGI bundle which harm to the system and deploy simply. Shouldn't we