You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@felix.apache.org by Stephen Higgs <sh...@redhat.com> on 2016/05/18 12:54:36 UTC

felix bundle security

[Note - Originally Sent to Karaf users list, but may be more appropriate for the felix users list]

Hi all,

If I wanted to implement custom logic to examine bundles that are installed for security purposes, would the following be appropriate?

1) set org.osgi.framework.security=osgi
2) create an implementation of org.apache.felix.framework.ext.SecurityProvider
3) add the new security provider to startup.properties

Would this achieve the desired ability to checkBundle() for all bundles during startup and thereafter?

Thank you,

Stephen Higgs

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org

Re: felix bundle security

Posted by Stephen Higgs <sh...@redhat.com>.

Thanks!

----- Original Message -----
From: "Karl Pauls" <ka...@gmail.com>
To: users@felix.apache.org
Sent: Wednesday, May 18, 2016 10:45:48 AM
Subject: Re: felix bundle security

Yes, that should be possible. If you create a custom condition it will get
passed in the Bundle object in question for evaluation. That is when you
could inspect the bundle. Next, all you need to do is to basically start
with a security policy that only grant permissions to bundles that pass
your custom condition.

You can have a look at this example for a custom condition and how to use
it:
https://github.com/mcculls/osgi-in-action/tree/master/chapter14/combined-example

regards,

Karl

On Wed, May 18, 2016 at 4:37 PM, Stephen Higgs <sh...@redhat.com> wrote:

> So I could write my own logic that checks the bundle via a "custom
> condition"?  That would be perfect - is there a resource that you would
> recommend that shows how to implement a custom condition?
>
> Thanks!
>
> --Stephen
>
> ----- Original Message -----
> From: "Karl Pauls" <ka...@gmail.com>
> To: users@felix.apache.org
> Sent: Wednesday, May 18, 2016 9:34:28 AM
> Subject: Re: felix bundle security
>
> Hm, I guess you could do that, yes. However, are you sure you want to
> implement your own provider? If you are running with security enabled, why
> not just use the existing provider and write your own custom condition that
> checks the bundle?
>
> regards,
>
> Karl
>
> On Wed, May 18, 2016 at 2:54 PM, Stephen Higgs <sh...@redhat.com> wrote:
>
> > [Note - Originally Sent to Karaf users list, but may be more appropriate
> > for the felix users list]
> >
> > Hi all,
> >
> > If I wanted to implement custom logic to examine bundles that are
> > installed for security purposes, would the following be appropriate?
> >
> > 1) set org.osgi.framework.security=osgi
> > 2) create an implementation of
> > org.apache.felix.framework.ext.SecurityProvider
> > 3) add the new security provider to startup.properties
> >
> > Would this achieve the desired ability to checkBundle() for all bundles
> > during startup and thereafter?
> >
> > Thank you,
> >
> > Stephen Higgs
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> > For additional commands, e-mail: users-help@felix.apache.org
> >
> >
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
> http://twitter.com/karlpauls
> http://www.linkedin.com/in/karlpauls
> https://profiles.google.com/karlpauls
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>


-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org

Re: felix bundle security

Posted by Karl Pauls <ka...@gmail.com>.

Yes, that should be possible. If you create a custom condition it will get
passed in the Bundle object in question for evaluation. That is when you
could inspect the bundle. Next, all you need to do is to basically start
with a security policy that only grant permissions to bundles that pass
your custom condition.

You can have a look at this example for a custom condition and how to use
it:
https://github.com/mcculls/osgi-in-action/tree/master/chapter14/combined-example

regards,

Karl

On Wed, May 18, 2016 at 4:37 PM, Stephen Higgs <sh...@redhat.com> wrote:

> So I could write my own logic that checks the bundle via a "custom
> condition"?  That would be perfect - is there a resource that you would
> recommend that shows how to implement a custom condition?
>
> Thanks!
>
> --Stephen
>
> ----- Original Message -----
> From: "Karl Pauls" <ka...@gmail.com>
> To: users@felix.apache.org
> Sent: Wednesday, May 18, 2016 9:34:28 AM
> Subject: Re: felix bundle security
>
> Hm, I guess you could do that, yes. However, are you sure you want to
> implement your own provider? If you are running with security enabled, why
> not just use the existing provider and write your own custom condition that
> checks the bundle?
>
> regards,
>
> Karl
>
> On Wed, May 18, 2016 at 2:54 PM, Stephen Higgs <sh...@redhat.com> wrote:
>
> > [Note - Originally Sent to Karaf users list, but may be more appropriate
> > for the felix users list]
> >
> > Hi all,
> >
> > If I wanted to implement custom logic to examine bundles that are
> > installed for security purposes, would the following be appropriate?
> >
> > 1) set org.osgi.framework.security=osgi
> > 2) create an implementation of
> > org.apache.felix.framework.ext.SecurityProvider
> > 3) add the new security provider to startup.properties
> >
> > Would this achieve the desired ability to checkBundle() for all bundles
> > during startup and thereafter?
> >
> > Thank you,
> >
> > Stephen Higgs
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> > For additional commands, e-mail: users-help@felix.apache.org
> >
> >
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
> http://twitter.com/karlpauls
> http://www.linkedin.com/in/karlpauls
> https://profiles.google.com/karlpauls
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>


-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

Re: felix bundle security

Posted by Stephen Higgs <sh...@redhat.com>.

So I could write my own logic that checks the bundle via a "custom condition"?  That would be perfect - is there a resource that you would recommend that shows how to implement a custom condition?

Thanks!

--Stephen

----- Original Message -----
From: "Karl Pauls" <ka...@gmail.com>
To: users@felix.apache.org
Sent: Wednesday, May 18, 2016 9:34:28 AM
Subject: Re: felix bundle security

Hm, I guess you could do that, yes. However, are you sure you want to
implement your own provider? If you are running with security enabled, why
not just use the existing provider and write your own custom condition that
checks the bundle?

regards,

Karl

On Wed, May 18, 2016 at 2:54 PM, Stephen Higgs <sh...@redhat.com> wrote:

> [Note - Originally Sent to Karaf users list, but may be more appropriate
> for the felix users list]
>
> Hi all,
>
> If I wanted to implement custom logic to examine bundles that are
> installed for security purposes, would the following be appropriate?
>
> 1) set org.osgi.framework.security=osgi
> 2) create an implementation of
> org.apache.felix.framework.ext.SecurityProvider
> 3) add the new security provider to startup.properties
>
> Would this achieve the desired ability to checkBundle() for all bundles
> during startup and thereafter?
>
> Thank you,
>
> Stephen Higgs
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>


-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org

Re: felix bundle security

Posted by Karl Pauls <ka...@gmail.com>.

Hm, I guess you could do that, yes. However, are you sure you want to
implement your own provider? If you are running with security enabled, why
not just use the existing provider and write your own custom condition that
checks the bundle?

regards,

Karl

On Wed, May 18, 2016 at 2:54 PM, Stephen Higgs <sh...@redhat.com> wrote:

> [Note - Originally Sent to Karaf users list, but may be more appropriate
> for the felix users list]
>
> Hi all,
>
> If I wanted to implement custom logic to examine bundles that are
> installed for security purposes, would the following be appropriate?
>
> 1) set org.osgi.framework.security=osgi
> 2) create an implementation of
> org.apache.felix.framework.ext.SecurityProvider
> 3) add the new security provider to startup.properties
>
> Would this achieve the desired ability to checkBundle() for all bundles
> during startup and thereafter?
>
> Thank you,
>
> Stephen Higgs
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>


-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls