You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by Sinkov Vladimir <vl...@gmail.com> on 2014/10/15 10:47:24 UTC
Felix security and Tomcat 7
Hello!
I'm developing Web Application which should be extendable with some modules
using OSGi(Apache Felix).
Those modules should have permission restrictions that's why I need OSGi
security.
Everything worked fine when I tested it as standalone application, but when
I integrated Felix into WebApp and deployed it into Tomcat 7 strange things
started to happen(by the way it works in Jetty just fine).
The next exception appears at the start of the Framework and at the start
of the Bundle, in case of security enabled with
org.osgi.framework.security=osgi.
org.osgi.framework.BundleException: Activator start error in bundle
org.volchyn.tutorials.felix-tutorial [2].
at org.apache.felix.framework.Felix.activateBundle(Felix.java:2204)
at org.apache.felix.framework.Felix.startBundle(Felix.java:2072)
at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:976)
at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:963)
...
Caused by: java.lang.ClassCircularityError:
org/apache/felix/framework/security/condpermadmin/DomainGripper
at
org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl.hasPermission(ConditionalPermiss
ionAdminImpl.java:860)
at
org.apache.felix.framework.SecurityProviderImpl.hasBundlePermission(SecurityProviderImpl.java:123)
at
org.apache.felix.framework.Felix.impliesBundlePermission(Felix.java:4326)
at
org.apache.felix.framework.BundleProtectionDomain.implies(BundleProtectionDomain.java:69)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:350)
at
java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.File.exists(File.java:808)
at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:766)
at
org.apache.naming.resources.FileDirContext.doLookup(FileDirContext.java:196)
at
org.apache.naming.resources.BaseDirContext.doLookupWithoutNNFE(BaseDirContext.java:494)
at
org.apache.naming.resources.BaseDirContext.lookup(BaseDirContext.java:475)
at
org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:306)
at
org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:3036)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:2892)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:1210)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1690)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
at
org.apache.felix.framework.util.EventDispatcher.addListener(EventDispatcher.java:205)
at org.apache.felix.framework.Felix.addServiceListener(Felix.java:3241)
at
org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:277)
at
org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:258)
at tutorial.example2.Activator.start(Activator.java:46)
at
org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1630)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:636)
at org.apache.felix.framework.Felix.activateBundle(Felix.java:2154)
... 18 more
After several experiments "solution" had been found. The hack is to preload
the problem classes before the start of Felix Framework and to put
org.apache.felix.framework.security Bundle into the classpath of the webapp:
Class.forName("org.apache.felix.framework.security.condpermadmin.DomainGripper");
Class.forName("org.apache.felix.framework.security.util.Permissions$1");
Class.forName("org.apache.felix.framework.security.util.Permissions$2");
Class.forName("org.osgi.framework.FrameworkListener");
Could you please help me in finding the normal solution for embedding Felix
with security into WebApp that is running under Tomcat?
Thanks!
Re: Felix security and Tomcat 7
Posted by Sinkov Vladimir <vl...@gmail.com>.
Hi!
Thanks for hints.
I'm sending some quick-prototypes so you could see the problem.
https://www.dropbox.com/s/f3arm294phmdk7b/felix-tomcat-problem.zip?dl=0
The archive contains "webapp" module which will show the exact problem.
In the folder "Prototype" you will see two modules(FelixApp and
FelixTutorial).
FelixApp is a standalone Host Application and FelixTutorial is the testing
Bundle.
Using "mvn clean install" please assemble FelixApp and then FelixTutorial
so as a result you will get bundle jar.
Then pass the path in the FelixServletContextListener, and you could see
the error yourself after deploying webapp.
You may use embedded tomcat7-maven-plugin it has proper set up for the run.
Thanks for the help!
2014-10-15 12:38 GMT+03:00 Karl Pauls <ka...@gmail.com>:
> It's hard to say what is going wrong in your case without getting more
> information about your set-up. Somehow, it looks like tomcat can find the
> security classes via several paths and that is what causes your problem.
> Are you sure it also happens if the security bundle is not on the class
> path as well when added to the framework?
>
> However, all of this is pretty complicated so it might be a real issue with
> tomcat and felix not getting along in this case. I'd have to look into it
> more deeply in that case...
>
> Regardless, you might want to experiment with a "combined launcher" that
> embeds the security classes into the same jar as the framework and isn't
> installed as an extension bundle at all (have a look at:
> http://svn.apache.org/repos/asf/felix/sandbox/rickhall/ct-launcher to see
> how that can be done).
>
> regards,
>
> Karl
>
>
> On Wed, Oct 15, 2014 at 10:47 AM, Sinkov Vladimir <
> vladimir.sinkov@gmail.com
> > wrote:
>
> > Hello!
> >
> > I'm developing Web Application which should be extendable with some
> modules
> > using OSGi(Apache Felix).
> > Those modules should have permission restrictions that's why I need OSGi
> > security.
> > Everything worked fine when I tested it as standalone application, but
> when
> > I integrated Felix into WebApp and deployed it into Tomcat 7 strange
> things
> > started to happen(by the way it works in Jetty just fine).
> > The next exception appears at the start of the Framework and at the start
> > of the Bundle, in case of security enabled with
> > org.osgi.framework.security=osgi.
> >
> > org.osgi.framework.BundleException: Activator start error in bundle
> > org.volchyn.tutorials.felix-tutorial [2].
> > at org.apache.felix.framework.Felix.activateBundle(Felix.java:2204)
> > at org.apache.felix.framework.Felix.startBundle(Felix.java:2072)
> > at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:976)
> > at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:963)
> > ...
> > Caused by: java.lang.ClassCircularityError:
> > org/apache/felix/framework/security/condpermadmin/DomainGripper
> > at
> >
> >
> org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl.hasPermission(ConditionalPermiss
> > ionAdminImpl.java:860)
> > at
> >
> >
> org.apache.felix.framework.SecurityProviderImpl.hasBundlePermission(SecurityProviderImpl.java:123)
> > at
> > org.apache.felix.framework.Felix.impliesBundlePermission(Felix.java:4326)
> > at
> >
> >
> org.apache.felix.framework.BundleProtectionDomain.implies(BundleProtectionDomain.java:69)
> > at
> >
> >
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:350)
> > at
> > java.security.AccessController.checkPermission(AccessController.java:559)
> > at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> > at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> > at java.io.File.exists(File.java:808)
> > at
> > org.apache.naming.resources.FileDirContext.file(FileDirContext.java:766)
> > at
> >
> >
> org.apache.naming.resources.FileDirContext.doLookup(FileDirContext.java:196)
> > at
> >
> >
> org.apache.naming.resources.BaseDirContext.doLookupWithoutNNFE(BaseDirContext.java:494)
> > at
> >
> org.apache.naming.resources.BaseDirContext.lookup(BaseDirContext.java:475)
> > at
> >
> >
> org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:306)
> > at
> >
> >
> org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:3036)
> > at
> >
> >
> org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:2892)
> > at
> >
> >
> org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:1210)
> > at
> >
> >
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1690)
> > at
> >
> >
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
> > at
> >
> >
> org.apache.felix.framework.util.EventDispatcher.addListener(EventDispatcher.java:205)
> > at org.apache.felix.framework.Felix.addServiceListener(Felix.java:3241)
> > at
> >
> >
> org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:277)
> > at
> >
> >
> org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:258)
> > at tutorial.example2.Activator.start(Activator.java:46)
> > at
> >
> >
> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1630)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at
> >
> >
> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:636)
> > at org.apache.felix.framework.Felix.activateBundle(Felix.java:2154)
> > ... 18 more
> >
> > After several experiments "solution" had been found. The hack is to
> preload
> > the problem classes before the start of Felix Framework and to put
> > org.apache.felix.framework.security Bundle into the classpath of the
> > webapp:
> >
> >
> Class.forName("org.apache.felix.framework.security.condpermadmin.DomainGripper");
> > Class.forName("org.apache.felix.framework.security.util.Permissions$1");
> > Class.forName("org.apache.felix.framework.security.util.Permissions$2");
> > Class.forName("org.osgi.framework.FrameworkListener");
> >
> > Could you please help me in finding the normal solution for embedding
> Felix
> > with security into WebApp that is running under Tomcat?
> >
> > Thanks!
> >
>
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
> http://twitter.com/karlpauls
> http://www.linkedin.com/in/karlpauls
> https://profiles.google.com/karlpauls
>
Re: Felix security and Tomcat 7
Posted by Karl Pauls <ka...@gmail.com>.
It's hard to say what is going wrong in your case without getting more
information about your set-up. Somehow, it looks like tomcat can find the
security classes via several paths and that is what causes your problem.
Are you sure it also happens if the security bundle is not on the class
path as well when added to the framework?
However, all of this is pretty complicated so it might be a real issue with
tomcat and felix not getting along in this case. I'd have to look into it
more deeply in that case...
Regardless, you might want to experiment with a "combined launcher" that
embeds the security classes into the same jar as the framework and isn't
installed as an extension bundle at all (have a look at:
http://svn.apache.org/repos/asf/felix/sandbox/rickhall/ct-launcher to see
how that can be done).
regards,
Karl
On Wed, Oct 15, 2014 at 10:47 AM, Sinkov Vladimir <vladimir.sinkov@gmail.com
> wrote:
> Hello!
>
> I'm developing Web Application which should be extendable with some modules
> using OSGi(Apache Felix).
> Those modules should have permission restrictions that's why I need OSGi
> security.
> Everything worked fine when I tested it as standalone application, but when
> I integrated Felix into WebApp and deployed it into Tomcat 7 strange things
> started to happen(by the way it works in Jetty just fine).
> The next exception appears at the start of the Framework and at the start
> of the Bundle, in case of security enabled with
> org.osgi.framework.security=osgi.
>
> org.osgi.framework.BundleException: Activator start error in bundle
> org.volchyn.tutorials.felix-tutorial [2].
> at org.apache.felix.framework.Felix.activateBundle(Felix.java:2204)
> at org.apache.felix.framework.Felix.startBundle(Felix.java:2072)
> at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:976)
> at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:963)
> ...
> Caused by: java.lang.ClassCircularityError:
> org/apache/felix/framework/security/condpermadmin/DomainGripper
> at
>
> org.apache.felix.framework.security.condpermadmin.ConditionalPermissionAdminImpl.hasPermission(ConditionalPermiss
> ionAdminImpl.java:860)
> at
>
> org.apache.felix.framework.SecurityProviderImpl.hasBundlePermission(SecurityProviderImpl.java:123)
> at
> org.apache.felix.framework.Felix.impliesBundlePermission(Felix.java:4326)
> at
>
> org.apache.felix.framework.BundleProtectionDomain.implies(BundleProtectionDomain.java:69)
> at
>
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:350)
> at
> java.security.AccessController.checkPermission(AccessController.java:559)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> at java.io.File.exists(File.java:808)
> at
> org.apache.naming.resources.FileDirContext.file(FileDirContext.java:766)
> at
>
> org.apache.naming.resources.FileDirContext.doLookup(FileDirContext.java:196)
> at
>
> org.apache.naming.resources.BaseDirContext.doLookupWithoutNNFE(BaseDirContext.java:494)
> at
> org.apache.naming.resources.BaseDirContext.lookup(BaseDirContext.java:475)
> at
>
> org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:306)
> at
>
> org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:3036)
> at
>
> org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:2892)
> at
>
> org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:1210)
> at
>
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1690)
> at
>
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
> at
>
> org.apache.felix.framework.util.EventDispatcher.addListener(EventDispatcher.java:205)
> at org.apache.felix.framework.Felix.addServiceListener(Felix.java:3241)
> at
>
> org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:277)
> at
>
> org.apache.felix.framework.BundleContextImpl.addServiceListener(BundleContextImpl.java:258)
> at tutorial.example2.Activator.start(Activator.java:46)
> at
>
> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1630)
> at java.security.AccessController.doPrivileged(Native Method)
> at
>
> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:636)
> at org.apache.felix.framework.Felix.activateBundle(Felix.java:2154)
> ... 18 more
>
> After several experiments "solution" had been found. The hack is to preload
> the problem classes before the start of Felix Framework and to put
> org.apache.felix.framework.security Bundle into the classpath of the
> webapp:
>
> Class.forName("org.apache.felix.framework.security.condpermadmin.DomainGripper");
> Class.forName("org.apache.felix.framework.security.util.Permissions$1");
> Class.forName("org.apache.felix.framework.security.util.Permissions$2");
> Class.forName("org.osgi.framework.FrameworkListener");
>
> Could you please help me in finding the normal solution for embedding Felix
> with security into WebApp that is running under Tomcat?
>
> Thanks!
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls