Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Osgi, security on the fly

DZone's Guide to

Osgi, security on the fly

· Java Zone
Free Resource

Download Microservices for Java Developers: A hands-on introduction to frameworks and containers. Brought to you in partnership with Red Hat.

Recently, I got a question on how to disallow bundles to call System.exit method and shutdown the full system. The first solution is to do with an old static java applications :
  • Delegates security to osgi framework :

java -jar framework.jar -init -Djava.security.manager -Djava.security.policy=all.policy
all.policy
grant { permission java.security.AllPermission;
};
  • deny all exit method call, using java security api and deploy it using single bundle with an activator like :

import org.osgi.framework. {BundleActivator ,BundleContext }

class Activator extends BundleActivator {
@throws (classOf[ java.lang.Exception])
def start( context:BundleContext){
System setSecurityManager new SecurityManager() {
override def checkExit( status:Int) {
throw new SecurityException("Reject System.exit(" + status + ")!");
}
}
}
@throws (classOf[ java.lang.Exception])
def stop( context:BundleContext) {}
}
This blog will show how to change security permission on the fly using console and per osgi bundle. Osgi is more flexible than standard java applications and security inside osgi is not an exception. Using Conditional Permission Admin make security more dynamic. To enable security on the fly we will use sosgi secure scala modules. https://github.com/ouertani/sosgi while this module is under development, We can do many thing with it.

Prerequisite :

  • scala-library-2.8.1.jar -> scala language based
  • scalamodules-core_2.8.1-2.0.4-SNAPSHOT.jar -> clever osgi dsl
  • slf4s_2.8.1-1.0.3.jar -> scala logging dsl
  • slf4j-api-1.6.1.jar with implementation as slf4j-simple-1.6.1.jar -> logging facade and implementation
  • sbt-launch-0.7.4.jar -> to compile and package a bundle
  • org.eclipse.osgi_3.6.2.jar -> curently base on equinox and its Command Interpreter

installing :

launch the framework using all.policy file as :

java -Djava.security.manager -Djava.security.policy=all.policy -jar org.eclipse.osgi_3.6.2.R36x_v20110210.jar -console
  • install base bundles like :

  • i file:./admin/scala-library-2.8.1.jar
  • i file:./admin/slf4j-api-1.6.1.jar
  • i file:./admin/slf4j-simple-1.6.1.jar
  • i file:./admin/slf4s_2.8.1-1.0.3.jar
  • i file:./admin/scalamodules-core_2.8.1-2.0.4-SNAPSHOT.jar
  • i file:./admin/osgi_2.8.1-1.0.jar
now for example install a bundles to illustrate usage :
class Activator extends   BundleActivator {
@throws (classOf[ java.lang.Exception])
def start( context:BundleContext){

try{

System exit 0

}catch {
case e => println (e)
}

}
.....

Running :

  • list bundles

osgi> ss

Framework is launched.

id State Bundle
0 ACTIVE org.eclipse.osgi_3.6.2.R36x_v20110210
1 INSTALLED scala-library_2.8.1
2 INSTALLED slf4j.api_1.6.1
3 INSTALLED slf4j.simple_1.6.1
4 INSTALLED com.weiglewilczek.slf4s_1.0.3
5 INSTALLED com.weiglewilczek.scalamodules.core_2.0.4.SNAPSHOT
6 INSTALLED com.ouertani.osgi_1.0.0
7 INSTALLED com.osgi.1e_1.0.0.SNAPSHOT

  • start security bundle
start 6
  • update admin dir
setprop ADMIN_DIR="*/admin/*"

  • init security bundle
sosgi !

  • try to call start bundle 7

start 7
java.security.AccessControlException: access denied (java.lang.RuntimePermission exitVM.0)
==>great system.exit is not allowed for this bundle.
  • to allow bundle 7 to call exit and shutdown the VM

sosgi + 7 ( java.lang.RuntimePermission ""exitVM.*"" )
  • add permissions to bundle 7

sosgi + 7 (  org.osgi.framework.PackagePermission ""*"" ""import"" )
sosgi + 7 ( java.lang.RuntimePermission ""exitVM.*"" )
  • start bundle 7 or update it

start 7
great ! VM is shuting down

More :

  • display security

sosgi ?
FOR + [generated_1301865364030] If org.osgi.service.condpermadmin.BundleLocationCondition */admin/* Then org.osgi.framework.ServicePermission org.eclipse.osgi.framework.console.CommandProvider register AND java.security.AllPermission * * AND org.osgi.framework.AdminPermission * * AND org.osgi.framework.PackagePermission * * END FI
  • clear all security

sosgi !!
source : http://ouertani.com/2011/04/osgi-security-on-the-fly/

Download Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design. Brought to you in partnership with Red Hat

Topics:

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}