Security Conditions not working on Java 1.8

Fri, 08 Jan 2016 08:08:09 -0800 

Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25",
and Felix "felix-framework-5.4.0". I have enabled security by adding
"org.apache.felix.framework.security-2.4.0" to the bundle directory.

I have then created three projects; "p1-check", "p1-policy" and the
offending bundle "p1-evil" (I'll attach all code). My scenario is as
follows; /I do not want p1-evil to connect to the Internet/. However in
p1-evil Activator I placed some code that makes a request to google and
prints the response. 

The p1-check bundle has only one condition; MyCheck.java. The
/isSatisfied()/ method of MyCheck returns /true/ if the bundle symbolic name
is "com.p1.evil", which is the symbolic name of the p1-evil bundle.

This is meant to be used with the following security rule (can be found in
security.policy)

/
DENY {
  [com.p1.check.MyCheck]
  ( java.net.SocketPermission "*" "connect" )
} "MyCheck"
/

(note: I also tried "connect,resolve", still does not work on java 1.8)

When I execute felix.jar with *java 1.7* I can see the logs from p1-check
and as expected p1-evil does not connect and I get an exception
[java.security.AccessControlException: access denied
("java.net.SocketPermission" "google.com:80" "connect,resolve")]

When I execute felix.jar with *java 1.8* I can see the logs from p1-check
however p1-evil activator is still allowed to connect to google.

I have tried this on two different machines and I got the same results. Am I
doing something wrong? Or there is something I do not know?

felix-framework-5.zip
<http://apache-felix.18485.x6.nabble.com/file/n5016167/felix-framework-5.zip>  
p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/p1.zip>  



--
View this message in context: 
http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@felix.apache.org
For additional commands, e-mail: users-h...@felix.apache.org

Reply via email to