[FELIX-5148] Framework Security unusable - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Invalid
Affects Version/s: framework.security-2.4.0, configadmin-1.8.0
Fix Version/s: None
Component/s: Configuration Admin, Framework Security
Labels:
None

Description

While fixing an issue with Sling and RMI (~~SLING-5375~~) reported by an user I came across an issue (~~KARAF-3400~~) reported by achim_nierbeck for Karaf related to framework security.

There is also an issue with Sling's own OSGi launcher Launchpad and framework security when using org.apache.felix.configadmin >= 1.8.0.

all.policy:

grant {
   permission java.security.AllPermission;
};

Adding org.apache.felix/org.apache.felix.framework.security/2.4.0 to boot.txt and starting with arguments described on Framework Security's page (which looks broken) and -Djava.security.manager (Building Secure OSGi Applications) throws a java.security.AccessControlException:

java -Djava.security.manager -Djava.security.policy="all.policy" -Dorg.osgi.framework.security="osgi" -jar org.apache.sling.launchpad-9-SNAPSHOT.jar

[...]
[...] *ERROR* [FelixStartLevel] ERROR: Error starting slinginstall:org.apache.felix.configadmin-1.8.0.jar (java.security.AccessControlException: access denied ("java.io.FilePermission" "/[...]/sling/config" "read"))
java.security.AccessControlException: access denied ("java.io.FilePermission" "/[...]/sling/config" "read")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
	at java.io.File.isDirectory(File.java:844)
	at org.apache.felix.cm.file.FilePersistenceManager.<init>(FilePersistenceManager.java:342)
	at org.apache.felix.cm.impl.ConfigurationManager.start(ConfigurationManager.java:244)
	at org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1709)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:688)
	at org.apache.felix.framework.Felix.activateBundle(Felix.java:2226)
	at org.apache.felix.framework.Felix.startBundle(Felix.java:2144)
	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1371)
	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
	at java.lang.Thread.run(Thread.java:745)
[...]

I had to remove OSGi Subsystems support from boot.txt when using org.apache.felix.configadmin 1.6:

    org.apache.felix/org.apache.felix.coordinator/1.0.0
    org.eclipse.equinox/org.eclipse.equinox.region/1.2.101.v20150831-1342
    org.apache.aries.subsystem/org.apache.aries.subsystem.api/2.0.6
    org.apache.aries.subsystem/org.apache.aries.subsystem.core/2.0.6

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

FELIX-5148.site.patch
19/Jan/16 09:28
3 kB
Oliver Lietz
FELIX-5148.sling-launchpad-builder.patch
19/Jan/16 10:12
5 kB
Oliver Lietz

Issue Links

blocks

KARAF-3400 Enabling Java System Security and OSGi security leaves Karaf in unusable state

Resolved

relates to

FELIX-5384 EventDispatcher#createWhitelistFromHooks fails under security

Resolved

FELIX-5385 ConfigAdmin uses wrong security when calling ManagedServices

Closed

Activity

People

Assignee:: Karl Pauls

Reporter:: Oliver Lietz

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 20/Dec/15 15:09

Updated:: 19/Dec/19 17:37

Resolved:: 19/Jan/16 12:21