You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ga...@apache.org on 2009/07/22 20:31:38 UTC
svn commit: r796824 - in /geronimo/sandbox/blueprint/blueprint-core/src/main:
java/org/apache/geronimo/blueprint/
java/org/apache/geronimo/blueprint/container/ resources/OSGI-INF/
Author: gawor
Date: Wed Jul 22 18:31:38 2009
New Revision: 796824
URL: http://svn.apache.org/viewvc?rev=796824&view=rev
Log:
initial security: use bundle's permissions to export, import and load classes. more checks are needed
Added:
geronimo/sandbox/blueprint/blueprint-core/src/main/resources/OSGI-INF/permissions.perm
Modified:
geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/ExtendedBlueprintContainer.java
geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/BlueprintContainerImpl.java
geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceListRecipe.java
geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceRecipe.java
geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ServiceRecipe.java
Modified: geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/ExtendedBlueprintContainer.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/ExtendedBlueprintContainer.java?rev=796824&r1=796823&r2=796824&view=diff
==============================================================================
--- geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/ExtendedBlueprintContainer.java (original)
+++ geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/ExtendedBlueprintContainer.java Wed Jul 22 18:31:38 2009
@@ -16,11 +16,14 @@
*/
package org.apache.geronimo.blueprint;
+import java.util.Dictionary;
import java.util.List;
import org.apache.geronimo.blueprint.di.Repository;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceReference;
+import org.osgi.framework.ServiceRegistration;
import org.osgi.service.blueprint.container.BlueprintContainer;
import org.osgi.service.blueprint.container.BlueprintListener;
import org.osgi.service.blueprint.container.Converter;
@@ -48,4 +51,9 @@
<T extends Processor> List<T> getProcessors(Class<T> type);
Repository getRepository();
+
+ ServiceRegistration registerService(String[] classes, Object service, Dictionary properties);
+
+ Object getService(ServiceReference reference);
+
}
Modified: geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/BlueprintContainerImpl.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/BlueprintContainerImpl.java?rev=796824&r1=796823&r2=796824&view=diff
==============================================================================
--- geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/BlueprintContainerImpl.java (original)
+++ geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/BlueprintContainerImpl.java Wed Jul 22 18:31:38 2009
@@ -21,6 +21,14 @@
import java.io.FileNotFoundException;
import java.net.URI;
import java.net.URL;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.DomainCombiner;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -56,6 +64,7 @@
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Constants;
+import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.blueprint.container.BlueprintContainer;
import org.osgi.service.blueprint.container.BlueprintEvent;
@@ -127,6 +136,7 @@
private final AtomicBoolean scheduled = new AtomicBoolean();
private final AtomicBoolean running = new AtomicBoolean();
private List<ServiceRecipe> services;
+ private AccessControlContext accessControlContext;
public BlueprintContainerImpl(BundleContext bundleContext, Bundle extenderBundle, BlueprintListener eventDispatcher, NamespaceHandlerRegistry handlers, ScheduledExecutorService executors, List<Object> pathList) {
this.bundleContext = bundleContext;
@@ -138,16 +148,15 @@
this.componentDefinitionRegistry = new ComponentDefinitionRegistryImpl();
this.executors = executors;
this.processors = new ArrayList<Processor>();
+ if (System.getSecurityManager() != null) {
+ this.accessControlContext = getAccessControlContext();
+ }
}
public Bundle getExtenderBundle() {
return extenderBundle;
}
- public Class loadClass(String name) throws ClassNotFoundException {
- return bundleContext.getBundle().loadClass(name);
- }
-
public <T extends Processor> List<T> getProcessors(Class<T> clazz) {
List<T> p = new ArrayList<T>();
for (Processor processor : processors) {
@@ -345,6 +354,65 @@
return resources;
}
+ public Class loadClass(final String name) throws ClassNotFoundException {
+ if (accessControlContext == null) {
+ return bundleContext.getBundle().loadClass(name);
+ } else {
+ try {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<Class>() {
+ public Class run() throws Exception {
+ return bundleContext.getBundle().loadClass(name);
+ }
+ }, accessControlContext);
+ } catch (PrivilegedActionException e) {
+ Exception cause = e.getException();
+ if (cause instanceof ClassNotFoundException) {
+ throw (ClassNotFoundException) cause;
+ }
+ throw new IllegalStateException("Unexpected checked exception", cause);
+ }
+ }
+ }
+
+ public ServiceRegistration registerService(final String[] classes, final Object service, final Dictionary properties) {
+ if (accessControlContext == null) {
+ return bundleContext.registerService(classes, service, properties);
+ } else {
+ return AccessController.doPrivileged(new PrivilegedAction<ServiceRegistration>() {
+ public ServiceRegistration run() {
+ return bundleContext.registerService(classes, service, properties);
+ }
+ }, accessControlContext);
+ }
+ }
+
+ public Object getService(final ServiceReference reference) {
+ if (accessControlContext == null) {
+ return bundleContext.getService(reference);
+ } else {
+ return AccessController.doPrivileged(new PrivilegedAction<Object>() {
+ public Object run() {
+ return bundleContext.getService(reference);
+ }
+ }, accessControlContext);
+ }
+ }
+
+ private AccessControlContext getAccessControlContext() {
+ return new AccessControlContext(AccessController.getContext(),
+ new DomainCombiner() {
+ public ProtectionDomain[] combine(ProtectionDomain[] arg0,
+ ProtectionDomain[] arg1) {
+ return new ProtectionDomain[] { new ProtectionDomain(null, null) {
+ public boolean implies(Permission permission) {
+ return bundleContext.getBundle().hasPermission(permission);
+ }
+ }
+ };
+ }
+ });
+ }
+
public BlueprintRepository getRepository() {
if (repository == null) {
repository = new RecipeBuilder(this).createRepository();
Modified: geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceListRecipe.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceListRecipe.java?rev=796824&r1=796823&r2=796824&view=diff
==============================================================================
--- geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceListRecipe.java (original)
+++ geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceListRecipe.java Wed Jul 22 18:31:38 2009
@@ -212,7 +212,7 @@
throw new ServiceUnavailableException("Service is unavailable", getOsgiFilter());
}
if (service == null) {
- service = reference.getBundle().getBundleContext().getService(reference);
+ service = blueprintContainer.getService(reference);
}
return service;
}
Modified: geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceRecipe.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceRecipe.java?rev=796824&r1=796823&r2=796824&view=diff
==============================================================================
--- geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceRecipe.java (original)
+++ geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ReferenceRecipe.java Wed Jul 22 18:31:38 2009
@@ -193,7 +193,7 @@
}
}
if (trackedService == null) {
- trackedService = blueprintContainer.getBundleContext().getService(trackedServiceReference);
+ trackedService = blueprintContainer.getService(trackedServiceReference);
}
if (trackedService == null) {
throw new IllegalStateException("getService() returned null for " + trackedServiceReference);
Modified: geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ServiceRecipe.java
URL: http://svn.apache.org/viewvc/geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ServiceRecipe.java?rev=796824&r1=796823&r2=796824&view=diff
==============================================================================
--- geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ServiceRecipe.java (original)
+++ geronimo/sandbox/blueprint/blueprint-core/src/main/java/org/apache/geronimo/blueprint/container/ServiceRecipe.java Wed Jul 22 18:31:38 2009
@@ -161,7 +161,7 @@
LOGGER.debug("Registering service {} with interfaces {} and properties {}",
new Object[] { name, classes, props });
- registration = blueprintContainer.getBundleContext().registerService(classArray, new TriggerServiceFactory(), props);
+ registration = blueprintContainer.registerService(classArray, new TriggerServiceFactory(), props);
registrationProperties = props;
}
}
@@ -178,7 +178,9 @@
listener.unregister(service instanceof ServiceFactory || !prototypeService ? service : null, registrationProperties);
}
}
- reg.unregister();
+ if (reg != null) {
+ reg.unregister();
+ }
// We need to do this hack in order to support reantrancy
if (registration == reg) {
registration = null;
Added: geronimo/sandbox/blueprint/blueprint-core/src/main/resources/OSGI-INF/permissions.perm
URL: http://svn.apache.org/viewvc/geronimo/sandbox/blueprint/blueprint-core/src/main/resources/OSGI-INF/permissions.perm?rev=796824&view=auto
==============================================================================
--- geronimo/sandbox/blueprint/blueprint-core/src/main/resources/OSGI-INF/permissions.perm (added)
+++ geronimo/sandbox/blueprint/blueprint-core/src/main/resources/OSGI-INF/permissions.perm Wed Jul 22 18:31:38 2009
@@ -0,0 +1,8 @@
+# Lines beginning with '#' or '//' are comments
+#
+# This file contains the permissions to be granted.
+# The permissions are listed one per
+# line in PermissionInfo encoded format.
+# See org.osgi.service.permissionadmin.PermissionInfo
+
+(java.security.AllPermission "" "")