Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
webconsole-4.2.2
-
None
Description
The framework is run with java security enabled. When I attempt to start the webconsole there is an exception:
java.security.AccessControlException: access denied ("org.osgi.framework.ServicePermission" "(service.id=44)" "get") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366) at com.prosyst.mbs.impl.framework.module.security.SecurityManagerImpl.checkPermission(SecurityManagerImpl.java:110) at com.prosyst.mbs.impl.framework.module.security.SecurityManagerImpl.checkPermission(SecurityManagerImpl.java:71) at com.prosyst.mbs.impl.framework.module.security.BasicSecurityImpl.checkServicePermissions0(BasicSecurityImpl.java:256) at com.prosyst.mbs.impl.framework.module.security.BasicSecurityImpl.checkServicePermissions(BasicSecurityImpl.java:251) at com.prosyst.mbs.impl.framework.ServicesManager.getSR(ServicesManager.java:774) at com.prosyst.mbs.impl.framework.BundleContextImpl.getServiceReferences0(BundleContextImpl.java:794) at com.prosyst.mbs.impl.framework.BundleContextImpl.getServiceReferences(BundleContextImpl.java:774) at com.prosyst.mbs.impl.framework.BundleContextImpl.getServiceReferences(BundleContextImpl.java:749) at org.osgi.util.tracker.ServiceTracker.getInitialReferences(ServiceTracker.java:334) at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:297) at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:261) at org.apache.felix.webconsole.internal.servlet.OsgiManager.updateConfiguration(OsgiManager.java:1002) at org.apache.felix.webconsole.internal.servlet.ConfigurationSupport.updated(ConfigurationSupport.java:51)
The reason for this exception is that Web Console tries to access a service in it's updated method. Since configuration admin bundle doesn't have enough permission the call fails and the /system/console alias doesn't get registered.
To solve that issue, the updated method should use doPrivileged when performing the operations.
The same applies to the "service* method of the HttpServlet. According the OSGi R5 compendium specification chapter 102.8.3, "it is the responsibility of the Servlet and Http Context implementations to use a doPrivileged block when performing privileged operations."