You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (JIRA)" <ji...@apache.org> on 2008/08/20 18:44:47 UTC

[jira] Resolved: (FELIX-654) Subject.doAs not supported

     [ https://issues.apache.org/jira/browse/FELIX-654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Karl Pauls resolved FELIX-654.
------------------------------

    Resolution: Fixed

I think the current fix is reasonable and seems to work -- hence, I will close this issue soon. 

> Subject.doAs not supported
> --------------------------
>
>                 Key: FELIX-654
>                 URL: https://issues.apache.org/jira/browse/FELIX-654
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework
>    Affects Versions: felix-1.0.4
>            Reporter: Karl Pauls
>            Assignee: Karl Pauls
>             Fix For: felix-1.2.0
>
>
> Subject.doAs allows to perform work as a particular Subject. It first retrieves the current Thread's AccessControlContext via AccessController.getContext, and then instantiates a new AccessControlContext using the retrieved context along with a new SubjectDomainCombiner (constructed using the provided Subject). Finally, this method invokes AccessController.doPrivileged, passing it the provided PrivilegedAction, as well as the newly constructed AccessControlContext. 
> The issue is that the SubjectDomainCombiner does update the relevant ProtectionDomains with the Principals from the Subject associated with this SubjectDomainCombiner by creating a new ProtectionDomain instance for each ProtectionDomain in the currentDomains array. Each new ProtectionDomain instance is created using the CodeSource, Permissions and ClassLoader from the corresponding ProtectionDomain in currentDomains, as well as with the Principals from the Subject associated with this SubjectDomainCombiner. 
> This doesn't work well with the OSGi spec due to the fact that each bundle (or revision to be precise) has its own custom ProtectionDomain which is lost when Subject.doAs is used. There is a way to make it work for most scenarios namely, make the custom ProtectionDomain return a speciall PermissionCollection because that is reused by the ProtectionDomain created by the SubjectDomainCombiner if no custom policy is installed (in the later case a different workaround would be needed). 
> Currently, Felix doesn't work when Subject.doAs is used and security is enabled. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.