[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Signed bundles

Hello Thomas,

I'm trying your suggestions:

java -Dosgi.signedcontent.support=true -Djava.security.policy="" -jar org.eclipse.osgi_3.4.0.v20071207.jar -console

From what I understand that should give me a framework with security and signed bundle support, but when I try that and type "services" from the equinox console, I don't get a (Conditional)PermissionAdmin service.

Greetings, Marcel

On Feb 6, 2008, at 15:43 , Thomas Watson wrote:

The option to enable signed bundles in 3.3 is osgi.support.signature.verify (notice "support" and "signature" are reversed). In 3.4 we are introducing a more general option called osgi.signedcontent.support which does not have simple true|false options, but we will continue to recognize the old 3.3. option. Matt is documenting the security options in https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765

The internal security manager class is needed to fully support postponed conditions in ConditionalPermissionAdmin. If postponed conditions are not needed then simply enabling the security manager with -Djava.security.policy="" will enable the built-in security manager which will satisfy most needs.

There is an option called eclipse.security. This option is used by the launcher jar to setup a policy to grant the framework and the launcher AllPermissions and specify the security manager to use. Unfortunately this still requires a reference to an internal class if you want to load a security manager to support postponed conditions. I've opened a bug to investigate making this easier. Perhaps eclipse.security manager can have a value that indicates the framework should load its internal security manager. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=218001.

Tom



<graycol.gif>Jeff McAffer ---02/06/2008 07:47:10 AM---Marcel Offermans wrote:

<ecblank.gif>
From:
<ecblank.gif>
Jeff McAffer <jeff@xxxxxxxxx>
<ecblank.gif>
To:
<ecblank.gif>
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>
<ecblank.gif>
Date:
<ecblank.gif>
02/06/2008 07:47 AM
<ecblank.gif>
Subject:
<ecblank.gif>
Re: [equinox-dev] Signed bundles







Marcel Offermans wrote:
> So, reiterating, if I want to run Equinox with OSGi security enabled
> and have it use my own keystore, I have to start it like this
> (formatted a bit for clarity, but typed as one big line):
>
> java
>   -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager
>   -Djava.security.policy=policy
>   -Dosgi.framework.keystore=keystore
>   -Dosgi.signature.support.verify=true
>   -jar org.eclipse.osgi_3.4.0.v20071207.jar
>   -console
>   -consoleLog
>
> Basically, I'm asking how Equinox is being run to be compliant with
> OSGi security.
Is the above line accurate?  Seems complicated and requires people to
reference internal classes etc.  Could be wrong but I remember it being
simipler

Jeff
_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev

_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev