Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; /I do not want p1-evil to connect to the Internet/. However in p1-evil Activator I placed some code that makes a request to google and prints the response. The p1-check bundle has only one condition; MyCheck.java. The /isSatisfied()/ method of MyCheck returns /true/ if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle. This is meant to be used with the following security rule (can be found in security.policy) / DENY { [com.p1.check.MyCheck] ( java.net.SocketPermission "*" "connect" ) } "MyCheck" / (note: I also tried "connect,resolve", still does not work on java 1.8) When I execute felix.jar with *java 1.7* I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")] When I execute felix.jar with *java 1.8* I can see the logs from p1-check however p1-evil activator is still allowed to connect to google. I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know? felix-framework-5.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/felix-framework-5.zip> p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/p1.zip> -- View this message in context: http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167.html Sent from the Apache Felix - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@felix.apache.org For additional commands, e-mail: users-h...@felix.apache.org