Being a framework, Gemini Blueprint needs to introspect bundles to determine their content and configuration. In general, it is recommended to grant
java.security.AllPermission to Gemini Blueprint bundles. For those that would like to restrict the properties, below you can find a list
of permissions that are needed for Gemini Blueprint to work properly. However, we strongly recommend to test whether the permissions are needed or
not for your environment since the minimum number depends heavily on what parts of the framework are used.
Table A.1. Gemini Blueprint Permission Table
|depends, <<ALL FILES>> recommended||read/write||Required by the logging system and web extender for installing the wars and JSP taglibs|
|*||accessDeclaredMembers||Used in some cases for reflection (such as accessing the |
|*||suppressAccessChecks||Used for accessing (through reflection) non-public methods or fields internally.|
|*||read,write||In use by the testing framework mainy. Useful for reading the environment, including OSGi properties.|
|*||class, execute, listener, metadata, resolve, resource||Used by the extender to listen read the content of started bundles.|
|*||HOST||Useful when attaching a custom configuration (as fragment) to the extender/web extender.|
|*||EXPORT, IMPORT||Basic permission used for importing and exporting the Gemini Blueprint bundles content.|
|*||get,register||Used for publishing and lookup of Gemini Blueprint internal services (such as the Spring namespace handlers/resolvers).|
Note that as of Gemini Blueprint 1.0, the extender will use the target bundle permissions for all actions executed on its behalf. That is, loading of classes, publishing the services, importing packages or the method invocations are executed using the bundle credentials just as if the user bundle would
As a general recommendation, for security sensible environments, to determine the minimum number of permissions start with a basic set of bundles and no permissions. This way, on each run, one can find out what permissions are needed and by whom and tweak the system accordingly.