Well, let's say this is a step further then, since the standard
java.io.FilePermission is not working for me even in linux with absolute
path.
This is the command to launch the felix framework:
java -Djava.security.policy=all.policy -Dorg.osgi.framework.security=osgi
-Dosgi.signedcontent.support=trust
-Dfelix.keystore=file:/opt/felix/keystore.jks -Dfelix.keystore.pass=pswd
-Dfelix.keystore.type=jks -jar ./bin/felix.jar
With this policy file:
/DENY {
( java.io.FilePermission "/opt/miv/conf/sampleRead.txt" "read,write")
} "Deny bundles signed by OTHER to read and write sampleRead.txt file"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
the policies are applied: no one can read and write the file
"/opt/miv/conf/sampleRead.txt".
But as soon as I try to insert a BundleSignerCondition:
/DENY {
[org.osgi.service.condpermadmin.BundleSignerCondition "CN=xxx, OU=xxx,
O=OTHER, L=xxx, ST=xxx, C=xx"]
( java.io.FilePermission "/opt/miv/conf/sampleRead.txt" "read,write")
} "Deny bundles signed by OTHER to read and write sampleRead.txt file"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
or to generalize the file permission to a parent folder:
/DENY {
( java.io.FilePermission "/opt*" "read,write")
} "Deny bundles signed by OTHER to read and write sampleRead.txt file"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
no policies are applied at all and everyone is allowed to read and write
every file!
What I'm I doing wrong here!? in the keystore.jks there are only the
certificates of ME and OTHER...
The bundles I'm testing are correctly signed (checked with jarsigner).
No idea how to solve this...
--
View this message in context:
http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007967.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
