Hi Robert,
You have done your duty now and given back to the list :-)
What you have provided will help me through this security jungle,
Thanks for your contribution,
Paul
On 15/04/2016 8:38 PM, Robert Onslow wrote:
Glad I can maybe do something useful for the list here, because I
spent some time experimenting with
org.apache.felix.framework.security.
I'm now using this framework in an application (called xbundle) to
ensure all osgi bundles are signed.
I start Felix with the following VM args
org.osgi.framework.security="osgi"
java.security.policy=xbundle.policy
felix.keystore=file:xbundle.jks
felix.keystore.type=jks
felix.keystore.pass=passwd
osgi.signedcontent.support=all
xbundle.policy has:
grant {
permission java.security.AllPermission;
};
In config.properties I see that I have set:
org.framework.extensions=org.apache.felix.framework.security
Then I write a bundle with an Activator which does:
public void start(BundleContext context) {
ServiceReference<ConditionalPermissionAdmin> ref =
context.getServiceReference(ConditionalPermissionAdmin.class);
ConditionalPermissionAdmin admin = context.getService(ref);
ConditionalPermissionUpdate update = admin.newConditionalPermissionUpdate();
List<ConditionalPermissionInfo> infos = update.getConditionalPermissionInfos();
infos.add(admin.newConditionalPermissionInfo(
"Signed Bundles",
new ConditionInfo[]
{
new
ConditionInfo(BundleSignerCondition.class.getName(), new String[]
{
"CN=XBundle, O=XBundle, STREET=XBundle House,
STREET=Placename, L=Town, ST=County, OID.2.5.4.17=Postcode, C=GB ; -"
})
},
new PermissionInfo[]
{
new PermissionInfo(AllPermission.class.getName(), "*", "*"),
},
ConditionalPermissionInfo.ALLOW));
update.commit();
}
I start this bundle at run level 1 together with
org.apache.felix.framework.security-2.4.0.jar
Seems to work OK to check that all bundle jars are signed.
Robert
On Fri, Apr 15, 2016 at 6:41 AM, Paul F Fraser <[email protected]> wrote:
Hi,
Any of the tutorial/slideshare/examples etc. I could find are very old.
Is OSGi security being used currently or is there a new preferred approach?
When attempting to use the felix framework security bundle it is unclear
what happens with the jvm security manager.
From
http://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html
it seems that a securitymanager is not necessary.
If the felix bundle is used without setting a security manager
System.getSecurityManager() returns null.
Is it intended that the felix bundle needs a security manager set?
Any assistance in this area, which seems to be bypassed by many OSGi
developers, would be most appreciated.
Regards
Paul Fraser
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
