You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@aries.apache.org by cu...@apache.org on 2012/06/22 16:36:38 UTC
svn commit: r1352904 - in /aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container: AbstractServiceReferenceRecipe.java ReferenceListRecipe.java ReferenceRecipe.java

Author: cumminsh
Date: Fri Jun 22 14:36:37 2012
New Revision: 1352904

URL: http://svn.apache.org/viewvc?rev=1352904&view=rev
Log:
[ARIES-363] Use managed bundle's access context in doPrivileged calls

Modified:
    aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java
    aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java
    aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java

Modified: aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java?rev=1352904&r1=1352903&r2=1352904&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java (original)
+++ aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java Fri Jun 22 14:36:37 2012
@@ -19,6 +19,12 @@
 package org.apache.aries.blueprint.container;
 
 import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.DomainCombiner;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -81,6 +87,8 @@ public abstract class AbstractServiceRef
     private final AtomicBoolean satisfied = new AtomicBoolean();
     private SatisfactionListener satisfactionListener;
 
+	private final AccessControlContext accessControlContext;
+
     protected AbstractServiceReferenceRecipe(String name,
                                              ExtendedBlueprintContainer blueprintContainer,
                                              ServiceReferenceMetadata metadata,
@@ -96,6 +104,14 @@ public abstract class AbstractServiceRef
         
         this.optional = (metadata.getAvailability() == ReferenceMetadata.AVAILABILITY_OPTIONAL);
         this.filter = createOsgiFilter(metadata);
+        
+        if (System.getSecurityManager() != null) {
+            accessControlContext = createAccessControlContext();
+        } else
+        {
+        	accessControlContext = null;
+        }
+
     }
 
 
@@ -178,6 +194,46 @@ public abstract class AbstractServiceRef
         return filter;
     }
 
+	protected Object getServiceSecurely(final ServiceReference serviceReference) {
+		if (accessControlContext == null) {
+			return getBundleContextForServiceLookup().getService(
+					serviceReference);
+
+		} else {
+			// If we're operating with security, use the privileges of the bundle
+			// we're managing to do the lookup
+			return AccessController.doPrivileged(
+					new PrivilegedAction<Object>() {
+						public Object run() {
+							return getBundleContextForServiceLookup()
+									.getService(serviceReference);
+						}
+					}, accessControlContext);
+		}
+	}
+    
+
+	/**
+	 * We may need to execute code within a doPrivileged block, and if so, it should be the 
+	 * privileges of the bundle with the blueprint file that get used, not the privileges 
+	 * of blueprint-core. To achieve this we use an access context. 
+	 * @return
+	 */
+    private AccessControlContext createAccessControlContext() {
+        return new AccessControlContext(AccessController.getContext(),
+                new DomainCombiner() {               
+                    public ProtectionDomain[] combine(ProtectionDomain[] arg0,
+                                                      ProtectionDomain[] arg1) {                    
+                        return new ProtectionDomain[] { new ProtectionDomain(null, null) {                        
+                            public boolean implies(Permission permission) {                                                           
+                                return getBundleContextForServiceLookup().getBundle().hasPermission(permission);
+                            }
+                        } 
+                    };
+                }
+        });
+    }
+
     protected void createListeners() {
             if (listenersRecipe != null) {
                 List<Listener> listeners = (List<Listener>) listenersRecipe.create();

Modified: aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java?rev=1352904&r1=1352903&r2=1352904&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java (original)
+++ aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java Fri Jun 22 14:36:37 2012
@@ -209,7 +209,7 @@ public class ReferenceListRecipe extends
                 throw new ServiceUnavailableException("Service is unavailable", getOsgiFilter());
             }
             if (service == null) {
-                service = getBundleContextForServiceLookup().getService(reference);
+                service = getServiceSecurely(reference);
             }
             return service;
         }

Modified: aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java?rev=1352904&r1=1352903&r2=1352904&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java (original)
+++ aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java Fri Jun 22 14:36:37 2012
@@ -234,11 +234,7 @@ public class ReferenceRecipe extends Abs
             } else {
             
               if (trackedService == null) {
-            	  trackedService = AccessController.doPrivileged(new PrivilegedAction<Object>() {
-            	    public Object run() {
-            		  return getBundleContextForServiceLookup().getService(trackedServiceReference);
-            		}
-            	  });
+            	  trackedService = getServiceSecurely(trackedServiceReference);
               }
               
               if (trackedService == null) {