[equinox-dev] Subject.doAsPrivileged not working with security enabled?!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[equinox-dev] Subject.doAsPrivileged not working with security enabled?!

From: "Pepping, Florian" <florian.pepping@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Jan 2010 08:55:19 +0100
Accept-language: de-DE, en-US
Acceptlanguage: de-DE, en-US
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AcqfJhI90wGory9oQ8OMbllwg1yXmQ==
Thread-topic: Subject.doAsPrivileged not working with security enabled?!

Hi!

In our application we want to use JAAS to authenticate and authorise users and their access to defined functions.

Therefore I have activated OSGi Security and added the correct AllPermission-Policy and the Equinox FrameworkSecurityManager while starting the application.

Performing “normal” checkPermission-Operations all security evaluations are executed as expected. You can use the specific bundle permissions and the call stack is considered in the right way.

However, using a Subject.doAsPrivileged call to perform operations as a specific user, the ProtectionDomains of the bundles are not considered and the user has always AllPermission.

Googling for this behaviour I found a bug report in the Felix bug database https://issues.apache.org/jira/browse/FELIX-654 describing this problem.

Using Equinox, can this happen the same way? And is there a proper workaround for this problem or is it not possible to use Subject.doAsPrivileged at the moment?

Thanks for your help

Florian Pepping

By the way, here are the AccessControlContexts before the Subject.doAsPrivileged and within the Subject.doAsPrivileged call:

Before the Subject.doAsPrivileged call:

ProtectionDomain (file:/D:/Sandboxes/DS/src/com.test/classes/ <no signer certificates>)

null

org.eclipse.osgi.framework.internal.core.BundleCombinedPermissions@5d72e2 ( à here I have a BundleCombinedPermission

)

With the Subject.doAsPrivileged call:

ProtectionDomain (file:/D:/Sandboxes/DS/src/com.test/classes/ <no signer certificates>)

null

java.security.Permissions@39d3d3 ( à here I have a “normal” PermissionCollection for this CodeBase

(java.security.AllPermission <all permissions> <all actions>)

)

WINCOR NIXDORF International GmbH
Sitz der Gesellschaft: Paderborn
Registergericht Paderborn HRB 3507
Geschäftsführer: Eckard Heidloff (Vorsitzender), Stefan Auerbach, Dr. Jürgen Wunram
Vorsitzender des Aufsichtsrats: Karl-Heinz Stiller
Steuernummer: 339/5884/0020 - Ust-ID Nr.: DE812927716 - WEEE-Reg.-Nr. DE44477193

Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Prev by Date: Re: [equinox-dev] Embedding Equinox Example
Next by Date: [equinox-dev] verifying signed bundles
Previous by thread: [equinox-dev] Embedding Equinox Example
Next by thread: [equinox-dev] verifying signed bundles
Index(es):
- Date
- Thread

Breadcrumbs