Java Reference
In-Depth Information
Even though some aspects of enabling security are standardized, not all aspects
are. As a result, enabling security is handled a little differently by different framework
implementations. We'll use the Apache Felix framework to show a concrete example.
The Felix framework is special because it provides its Conditional Permission Admin
Service implementation as an extension bundle. This means that in addition to setting
the previous properties, you also need to deploy the security provider bundle. Luckily,
this is easy to do with the bundle launcher; add it to the directory containing the bun-
dles you want to launch.
This gets you a framework with security enabled and an initial security policy. If
you want to allow for bundles signed by trusted certificates, you can use the
org.osgi.framework.trust.repositories
property to point to the keystore contain-
ing the certificates you trust, but typically a keystore requires the use of a password.
Because keystores used with this configuration property can't have passwords, you
need to resort to an implementation-specific means to give you what you want. For the
Felix framework, you do the following:
java -Dorg.osgi.framework.security=osgi \
-Dfelix.keystore=file:certificates.ks \
-Dfelix.keystore.pass=foobar \
-Dfelix.keystore.type=jks \
-jar launcher.jar bundles
In this case, the initial security policy file contains the following:
grant { permission java.security.AllPermission; };
This sets up your framework with a keystore and the password necessary to access it.
To illustrate what you can do with all of this, let's add to the paint program a secu-
rity policy that uses the security features you've learned about. The security policy will
allow core providers to provide shapes automatically; all others will require explicit
approval from the user. Other than provide shape services, bundles are allowed to do
anything. Start by creating a policy file with an entry to grant
AllPermission
to bun-
dles signed by the core certificate:
ALLOW {
[ org.osgi.service.condpermadmin.BundleSignerCondition
"CN=core,O=baz,C=de" ]
( java.security.AllPermission "*" "*" )
} "Signed by core"
Next, create an entry to grant all other bundles permission to register a shape service
based on the condition that the user approves it. For this, use your custom condition
like this:
ALLOW {
[ org.foo.condition.ask.AskUserCondition
"Do you want to allow ${symbolic-name} to provide a shape?" ]
( org.osgi.framework.ServicePermission
"org.foo.shape.SimpleShape" "register" )
} "Ask the user"
