Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-4610

WebConsole doesn't start with Java Security enabled

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • webconsole-4.2.2
    • webconsole-4.2.4
    • Web Console
    • None

    Description

      The framework is run with java security enabled. When I attempt to start the webconsole there is an exception:

      java.security.AccessControlException: access denied ("org.osgi.framework.ServicePermission" "(service.id=44)" "get")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
        at com.prosyst.mbs.impl.framework.module.security.SecurityManagerImpl.checkPermission(SecurityManagerImpl.java:110)
        at com.prosyst.mbs.impl.framework.module.security.SecurityManagerImpl.checkPermission(SecurityManagerImpl.java:71)
        at com.prosyst.mbs.impl.framework.module.security.BasicSecurityImpl.checkServicePermissions0(BasicSecurityImpl.java:256)
        at com.prosyst.mbs.impl.framework.module.security.BasicSecurityImpl.checkServicePermissions(BasicSecurityImpl.java:251)
        at com.prosyst.mbs.impl.framework.ServicesManager.getSR(ServicesManager.java:774)
        at com.prosyst.mbs.impl.framework.BundleContextImpl.getServiceReferences0(BundleContextImpl.java:794)
        at com.prosyst.mbs.impl.framework.BundleContextImpl.getServiceReferences(BundleContextImpl.java:774)
        at com.prosyst.mbs.impl.framework.BundleContextImpl.getServiceReferences(BundleContextImpl.java:749)
        at org.osgi.util.tracker.ServiceTracker.getInitialReferences(ServiceTracker.java:334)
        at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:297)
        at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:261)
        at org.apache.felix.webconsole.internal.servlet.OsgiManager.updateConfiguration(OsgiManager.java:1002)
        at org.apache.felix.webconsole.internal.servlet.ConfigurationSupport.updated(ConfigurationSupport.java:51)

      The reason for this exception is that Web Console tries to access a service in it's updated method. Since configuration admin bundle doesn't have enough permission the call fails and the /system/console alias doesn't get registered.

      To solve that issue, the updated method should use doPrivileged when performing the operations.

      The same applies to the "service* method of the HttpServlet. According the OSGi R5 compendium specification chapter 102.8.3, "it is the responsibility of the Servlet and Http Context implementations to use a doPrivileged block when performing privileged operations."

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            v_valchev Valentin Valchev
            v_valchev Valentin Valchev
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment