Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Virgo » Virgo & SecurityManager
Virgo & SecurityManager [message #784178] Fri, 27 January 2012 06:42 Go to next message
Anton Kolmakov is currently offline Anton Kolmakov
Messages: 14
Registered: January 2012
Junior Member
Hi guys, do you have any examples how to run Virgo with enabled SecurityManager?
I have tried many options and no one of them does not work.
Re: Virgo & SecurityManager [message #784267 is a reply to message #784178] Fri, 27 January 2012 09:18 Go to previous messageGo to next message
Borislav Kapukaranov is currently offline Borislav Kapukaranov
Messages: 80
Registered: September 2010
Member
Hi,

The Security Manager is a tricky area but still possible to enable.
You need to use the OSGi Security Manager, Equinox's in particular.

You need to add this property in your dmk.bat/sh file:
-Declipse.security=osgi
-Declipse.enableStateSaver=true

Now if you start Virgo you have enabled OSGi Security Manager. The problem is by default everyone get AllPermission.
You might want to take a look at these sections in the OSGi specs:

  • Security section of the OSGi core specification
  • ConditionalPermissionAdmin of the OSGi compendium specification

Long story short you need a bundle that will play as Security Agent of some sort. It will manage your permission sets. The nice thing about that is this can be dynamic management so it can be made to update your permissions on the fly as the server is running.

In the attached "Examples.zip" file I've included for you

  • a sample bundle that plays the role of Security Agent
  • a sample policy file that is read by the Security Agent in its Activator
  • a Java class that signs bundles, provided you have generated your own keystore

You need to include in your dmk.bar/sh also this:
-Dosgi.policyFile=osgi-all.policy - this way the Security Agent will know which file to read for policies. Place the policy file in the root of your installation.

To activate the Security Agent bundle you need to put it in /plugins of your Virgo 3.5 installation then go to /configuration/config.ini and replace this line:
osgi.bundles=reference\:file\:org.eclipse.equinox.simpleconfigurator_1.0.300.v20110815-1744.jar@1\:start

with this one:
osgi.bundles=reference\:file\:SecurityAgent_1.0.0.jar@1\:start,reference\:file\:org.eclipse.equinox.simpleconfigurator_1.0.200.v20100503-sap.jar@2\:start

This ensures the Security Agent is the first bundle to start and every other bundle will have the defined permissions applied.

[OPTIONAL]If you are going down the signed bundles path. You need a couple more properties in the dmk.bat/sh.
-Dosgi.framework.keystore=file:<absolute path to your keystore file>
-Dosgi.signedcontent.support="runtime"

If you will use just the location based permission definitions then you don't need these.

A few words on the policy file. It contains a number of examples that utilize both pure Java and OSGi Permission classes. All examples however use the Signer condition so if you want location-based permission distribution you need to check in the specification for the right syntax. In any case take a look at the syntax described in the specification here. Interesting is the DENY policy applied after a non-restrictive ALLOW to give you some sort of blacklist support.

Also keep in mind the following
- You can't use the plain Java security manager in default OSGi environment as it won't have any effect at all. This is so because bundle's loaders are not descendants of URLClassLoader and Java's security applies only to these.
- You may need to enable pure Java security working parallelly with OSGi's security because the web application that GeminiWeb/Tomcat runs use different loaders for their parts. For example servlets and scriptlets are loaded with Jasper's ClassLoader which is affected only by the pure Java security. But this is something that may not affect you so check first.

And last the examples I give you here are just examples and are not meant for productive usage!

I've tested the examples only on Virgo Nano, but the principle is the same in all other distributions and I expect this to be applicable without any changes.

IMHO Virgo can provide both the agent and a policy file as part of the server so if you have desire for that please raise an enhancement in our Bugzilla.
Also soon the Equinox launcher that we use may provide functionality to configure the Security Manager right at the server's startup thus configuring the server more securely at the earliest time possible. For more on this follow this bug.

  • Attachment: Examples.zip
    (Size: 7.78KB, Downloaded 136 times)

[Updated on: Fri, 27 January 2012 09:28]

Report message to a moderator

Re: Virgo & SecurityManager [message #784289 is a reply to message #784267] Fri, 27 January 2012 09:52 Go to previous messageGo to next message
Anton Kolmakov is currently offline Anton Kolmakov
Messages: 14
Registered: January 2012
Junior Member
Thank you so much for the detailed answer!
Re: Virgo & SecurityManager [message #787324 is a reply to message #784289] Tue, 31 January 2012 13:03 Go to previous messageGo to next message
Anton Kolmakov is currently offline Anton Kolmakov
Messages: 14
Registered: January 2012
Junior Member
It looks like that ConditionalPermissionAdmin does not work properly with "cn=*, ou=*, o=Eclipse.org Foundation\, Inc, l=*, st=*, c=*" distinguished name as a condition argument. According to the specification:

<string> ::= *( <stringchar> | <pair> ) | '"' *( <stringchar> | <special> | <pair> ) '"' | "#" <hex>
<pair> ::= "\" ( <special> | "\" | '"')
<special> ::= "," | "=" | <CR> | "+" | "<" |  ">" | "#" | ";"


When ConditionalPermissionAdmin creates ConditionalPermissionInfo it skips escaped comma and escapes backslash. Parsed name is: "cn=*, ou=*, o=Eclipse.org Foundation\\, Inc, l=*, st=*, c=*".

I think that it is wrong, it should not escape escaped comma.

Re: Virgo & SecurityManager [message #787377 is a reply to message #787324] Tue, 31 January 2012 14:11 Go to previous messageGo to next message
Anton Kolmakov is currently offline Anton Kolmakov
Messages: 14
Registered: January 2012
Junior Member
Also when I use BundleSignerCondition with argument "CN=*, OU=*, O=*, L=Ottawa, ST=*, C=*" to match org.eclipse.equinox.simpleconfigurator_1.0.300.v20110815-17 bundle which is signed by:

CN="Eclipse.org Foundation, Inc", OU=Digital ID Class 3 - Java Object Signing, O="Eclipse.org Foundation, Inc", L=Ottawa, ST=Ontario, C=CA
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

it fails. And I do not know the reason. Any ideas?
Re: Virgo & SecurityManager [message #787417 is a reply to message #787377] Tue, 31 January 2012 15:02 Go to previous messageGo to next message
Borislav Kapukaranov is currently offline Borislav Kapukaranov
Messages: 80
Registered: September 2010
Member
Sorry, no idea Sad. I think you might have best luck to understand what's wrong if you debug that. The Conditional Permission Admin is implemented in the system bundle. I remember I had a hard time getting the signature approach to run fine too. Why don't you try with the location-based approach for starters.

As for the escaped commas. I think you may have a point here. It would be best to open a bug against Equinox to check if this indeed is a bug.
It would be most helpful if you attach an example that reproduces the problem you are observing in a plain Equinox.
Re: Virgo & SecurityManager [message #787421 is a reply to message #787417] Tue, 31 January 2012 15:06 Go to previous messageGo to next message
Borislav Kapukaranov is currently offline Borislav Kapukaranov
Messages: 80
Registered: September 2010
Member
Backslashes must already be escaped in Java strings, requiring 2 backslashes in Java source code. 
For example:
DN:	           cn = Bugs Bunny, o = ACME++, C=US 
Canonical form:   cn=bugs bunny,o=acme\+\+,c=us 
Java String:	  "cn=Bugs Bunny,o=ACME\\+\\+,c=US"


Actually looking at this specification text I think you may need to escape the comma with double backslash. Does that work?

[Updated on: Tue, 31 January 2012 15:08]

Report message to a moderator

Re: Virgo & SecurityManager [message #787524 is a reply to message #787421] Tue, 31 January 2012 17:18 Go to previous messageGo to next message
Anton Kolmakov is currently offline Anton Kolmakov
Messages: 14
Registered: January 2012
Junior Member
Quote:
Actually looking at this specification text I think you may need to escape the comma with double backslash. Does that work?


You are right, if I had a hardcoded name like:

String name = "cn=Bugs Bunny,o=ACME\\+\\+,c=US";


I should use a double backslash because Java's backslash is "\\". But in a text file I can simply write "\" and it will be read as "\\" in Java.

My example demonstrates the name in canonical form. I read permissions from the file.

I have tried approach you proposed with double backslash. And it does not work too.

Quote:
Why don't you try with the location-based approach for starters.


Of course, I can use it and I will probably use it. But I want to understand what Virgo supports and how it works.
Re: Virgo & SecurityManager [message #788033 is a reply to message #787524] Wed, 01 February 2012 09:10 Go to previous message
Anton Kolmakov is currently offline Anton Kolmakov
Messages: 14
Registered: January 2012
Junior Member
Quote:
Also when I use BundleSignerCondition with argument "CN=*, OU=*, O=*, L=Ottawa, ST=*, C=*" to match org.eclipse.equinox.simpleconfigurator_1.0.300.v20110815-17 bundle...


I have found the reason of this problem, the pattern I was using is wrong. Because there is a DN chain the pattern should be "-; CN=*, OU=*, O=*, L=Ottawa, ST=*, C=*; -".
Previous Topic:Existing Tomcat + OSGI + Spring
Next Topic:Kernel not starting when launched from java program
Goto Forum:
  


Current Time: Sun Oct 26 05:24:49 GMT 2014

Powered by FUDForum. Page generated in 0.01983 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software