[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [equinox-dev] Enabling security in Equinox
- From: tom.hsu@xxxxxxxxxx
- Date: Thu, 29 Oct 2009 17:31:17 -0700
- Delivered-to: email@example.com
- Organization: Oracle Corporation
- User-agent: Thunderbird 22.214.171.124 (Windows/20090812)
I now realized that I need to provide system permissions for the
Conditional Permission Admin service in order to secure behaviors of
some installed bundles. Please confirm my understanding:
1. The example showed in the PDF seem to suggest achieving this using
privileged bundle to assign restricted permission objects for the new
2. #1 approach needs to be done programmatcally?
3. Is there a way to achieve the restriction of bundles coming from
known location <A> to have a limited set of permissions with a
configuration file like custo_java.policy?
On 10/28/2009 3:10 PM, Marcel Offermans wrote:
On Oct 28, 2009, at 22:46 , Tom Hsu wrote:
I have an usecase in which we'd like to secure the behavior of some
particular bundles at runtime. We have an OSGi equinox application
that will install custom bundles during runtime and execute code from
those custom bundles. We'd like to restrict the execution of those
code to specified work directories for security reasons.
I have searched for a morning about a quickstart guide to enable
java.policy style permissions for installed bundles by the OSGi
equinox fwk. But I have not found any easy documentation besides osgi
specifications on Admin permission and conditional admin services.
Can someone point me to some documentation?
In short, I want to restrict runtime-installed bundles to have
limited IO privileges. Thanks.
Last year at EclipseCon, Karl Pauls and I did a workshop on secure
OSGi applications. Amongst other things we discussed how to run both
Equinox and Felix with security. There are slides in the PDF that
explain the command line options you need.
Small disclaimer, this information is over a year old and might be a
bit outdated here and there, but still it might be a good starting point.
equinox-dev mailing list