Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Virgo » Security Manager + Virgo
Security Manager + Virgo [message #905385] Thu, 30 August 2012 05:33 Go to next message
eugene rabii is currently offline eugene rabii
Messages: 13
Registered: February 2012
Junior Member
Environment : Java 6; virgo-3.5.0.RELEASE.

The problem: I am trying to block calls fro OSGi bundles to System.exit. From plain Java, this is very easy. Extend the SecurityManager, override a method and done!

Well, now Virgo Smile. Here is the class:

private static class BlockExit extends SecurityManager {
@Override
public void checkExit(int status){
throw new UnsupportedOperationException("Not Allowed!");
}
}

And inside the start from BundleActivator:

System.setSecurityManager(new BlockExit());

Seems pretty straightforward, but it's not working. There are A LOT of exceptions in log, mainly:

xception in thread "[Timer] - Main Queue Handler" java.lang.IllegalArgumentException: java.security.AccessCo
ntrolException: access denied (org.osgi.framework.ServicePermission (service.id=8) get)


And most recent: Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)


Is there a way to use the security manager in Virgo?

Thank You,
Eugene,
Re: Security Manager + Virgo [message #906472 is a reply to message #905385] Sat, 01 September 2012 11:42 Go to previous messageGo to next message
Borislav Kapukaranov is currently offline Borislav Kapukaranov
Messages: 80
Registered: September 2010
Member
Hi Eugene,

There is a way to use security manager in Virgo - some configuration steps are required to enable it.
Also that security manager is actually an OSGi Security Manager built into the Equinox framework which Virgo uses.

A good point to start is to take a look at this forum thread. It covers the basic setup of the OSGi security manager and some examples how to use it to set permission across the framework.

Hope that helps,
Bobby
Re: Security Manager + Virgo [message #906476 is a reply to message #906472] Sat, 01 September 2012 11:51 Go to previous messageGo to next message
eugene rabii is currently offline eugene rabii
Messages: 13
Registered: February 2012
Junior Member
Hello Bobby,

Thank you for your answer. I've been through that link, an the only thing I ended up doing, is editing the bin/dmk.sh and adding these lines:

-Declipse.security=osgi \
-Declipse.enableStateSaver=true \

Then, I created a bundle - SecurityBundle where I set my security manager with the code in post above. Because the security manager is set for the entire JVM that's all I needed, all future deployed bundles will have this operation (System.exit in my case) disabled.

P.S. When you say "OSGi Security Manager" do you actually mean a custom implementation of the SecurityManager class from java.lang? Or is this something specific to OSGi?


Thank You,
Eugene.
Re: Security Manager + Virgo [message #906483 is a reply to message #906476] Sat, 01 September 2012 12:22 Go to previous messageGo to next message
Borislav Kapukaranov is currently offline Borislav Kapukaranov
Messages: 80
Registered: September 2010
Member
The OSGi Security Manager is mostly an extension to the plain Java Security Manager - giving you more permissions to work with and is plugged into the lifecycle of bundles. To fully enable all intended security features the specification requires the Framework to install own Security Manager. Maybe I should have used the more correct Equinox Security Manager rather than OSGi Security Manager. Smile

By default it works a bit differently. Just enabling it won't actually do anything - by default it gives least restrictive access and everyone gets all permission in contrast to the plain Java Security Manager where the default is no permission. In the link I posted I also put some examples. One of them is essential for making the OSGi permissions work - the security agent. It manages the Conditional Permission Admin OSGi Service which takes care of applying the permissions to everyone in the framework. You can read more about it in the OSGi compendium specification.

What I'm trying to say is that if you want this to work smoothly you may want to stick to the intended by the Equinox framework creators usage of the Equinox Security. The two properties you used are there to set tell the Equinox framework to enable its built-in security manager. In your code you seem to override that and set your own manager - I expect you'll have hard time making any custom security manager work with the framework, because it won't be integrated with the Permission Admin services and won't be able to apply the permissions to bundles or apps. It's possible it would also work the plain Java way and by default grant no permission which would explain why you have many errors in the logs.

I'd recommend to try out the examples in the link I posted and try to model your requirements using similar approach. It sounds to me as the shortest path to get it working.

Best Regards
Bobby

[Updated on: Sat, 01 September 2012 12:23]

Report message to a moderator

Re: Security Manager + Virgo [message #907111 is a reply to message #906483] Mon, 03 September 2012 06:09 Go to previous message
eugene rabii is currently offline eugene rabii
Messages: 13
Registered: February 2012
Junior Member
Hello Bobby,

This definitely brings some light. Thank You.

Nevertheless, the problem persists.

I have been reading the OSGi in Action about security and while I see there a lot of ways to secure bundles, actually secure bundle specific things, I can't see a way to secure a call to System.exit without providing my own implementation of the SecurityManager.

I can't see a way to be able to block System.exit calls.
There are ways to secure BUNDLE-SPECIFIC operations, I agree, but I can't see the same for the System.exit calls.

I thought that may be osgi.policyFile will help, but no matter what I do (I did put it path) and added it to the dmk.sh file, I keep getting :

ClassNotFoundException without any other additional info. Fun! Smile

Any help?

Thank You,
Eugene.

[Updated on: Mon, 03 September 2012 11:07]

Report message to a moderator

Previous Topic:plans
Next Topic:ConditionalPermissionAdmin not working
Goto Forum:
  


Current Time: Fri Aug 29 08:20:02 EDT 2014

Powered by FUDForum. Page generated in 0.02833 seconds