Java Reference
In-Depth Information
group is applicable; a permission group can be guarded by zero or more conditions.
Because permissions are granted to bundles in
OSG
i, conditions are evaluated against
the bundles on the call stack to determine which permissions have been granted to a
bundle. If multiple conditions are associated with a permission group, all conditions
must be satisfied for the permissions to apply (a logical
AND
).
If it isn't already clear, this is pretty power ful. Not only does it allow you to introduce
your own arbitrary conditions for granting permissions, but these conditions can also
be much more dynamic and fine-grained. For example, you can create a condition to
only grant permissions based on license status via remote server communication or
even the time of day. We'll get into creating custom conditions later; for now, we'll con-
tinue to explore what's provided by the Conditional Permission Admin Service.
What about performance?
If you know anything about Java security, you probably know it can have a significant
impact on execution-time performance. Evaluating all conditions for all bundles on
the call stack on every permission check can get expensive. Luckily, the Conditional
Permission Admin Service provides a way to mitigate this cost in a lot of cases by
differentiating between mutable and immutable conditions. This means the Boolean
results for immutable conditions only need to be calculated once per bundle protec-
tion domain. You'll see an example of an immutable condition shortly.
14.4.2
Introducing the Conditional Permission Admin Service
Let's look at the
API
behind the Conditional Permission Admin Service, which is the
ConditionalPermissionAdmin
service interface shown in the following listing.
Listing 14.1 The
ConditionalPermissionAdmin
interface
public interface ConditionalPermissionAdmin {
ConditionalPermissionInfo addConditionalPermissionInfo(
ConditionInfo[] conds, PermissionInfo[] perms);
AccessControlContext getAccessControlContext(String[] signers);
ConditionalPermissionInfo getConditionalPermissionInfo(String name);
Enumeration getConditionalPermissionInfos();
ConditionalPermissionInfo setConditionalPermissionInfo(
String name, ConditionInfo[] conds, PermissionInfo[] perms);
public ConditionalPermissionUpdate newConditionalPermissionUpdate();
public ConditionalPermissionInfo newConditionalPermissionInfo(
String name, ConditionInfo[] conditions, PermissionInfo[] permissions,
String access);
public ConditionalPermissionInfo newConditionalPermissionInfo(
String encodedConditionalPermissionInfo);
}
