Java Reference
In-Depth Information
14.4.5
Implementing a policy-file reader
The main purpose behind implementing a policy-file reader is to give you a conve-
nient way to populate the
ConditionalPermissionAdmin
service with
Conditional-
PermissionInfo
objects composing your desired security policy. To achieve this, you
need a way to encode/decode
ConditionalPermissionInfo
objects to/from human-
readable text. As luck would have it, the Conditional Permission Admin Service speci-
fication standardizes such an encoding.
To encode an object, you use the
ConditionalPermissionInfo.getEncoded()
method, which returns a
String
representing the associated object. To decode an object,
you use the
ConditionalPermissionAdmin.newConditionalPermission(String)
method, which returns the corresponding decoded
ConditionalPermissionInfo
object. It can't get much simpler than that. The encoded format is
access { conditions permissions } name
Here,
access
is the access decision (either
ALLOW
or
DENY
),
conditions
is zero or
more encoded conditions,
permissions
is one or more encoded permissions, and
name
is the name associated with the
ConditionalPermissionInfo
object. Drilling
down, the encoded format of a
ConditionInfo
is
[type "arg0" "arg1" ...]
where
type
is the fully qualified class name of the condition and the remaining are
the quoted arguments for its constructor. In a similar fashion, the encoded format of a
PermissionInfo
is
(type "name" "actions")
As with conditions,
type
is the fully qualified class name of the permission, and the
remaining are the quoted name and actions for its constructor. A more concrete
example looks like this (we've added line breaks for readability):
ALLOW {
[org.osgi.service.condpermadmin.BundleLocationCondition "file:foo.jar"]
(org.osgi.framework.PackagePermission "*" "IMPORT")
} "allow-all-packages"
With this standard encoding format, you can implement a simple policy-file reader
bundle that populates the
ConditionalPermissionAdmin
service by reading encoded
ConditionalPermissionInfo
objects from a file upon activation. All you'll need to do
to set and/or change your security policy is to edit your policy file and then start this
bundle. More precisely, its
start()
method looks like the following listing.
Listing 14.3 Policy-file reader bundle activator
start()
method
public void start(BundleContext context) {
File policyFile = getPolicyFile(context);
List<String> encodedInfos = readPolicyFile(policyFile);
encodedInfos.add(0, "ALLOW {"
+ "[org.osgi.service.condpermadmin.BundleLocationCondition \""