You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@aries.apache.org by cu...@apache.org on 2012/06/22 16:36:38 UTC
svn commit: r1352904 - in
/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container:
AbstractServiceReferenceRecipe.java ReferenceListRecipe.java
ReferenceRecipe.java
Author: cumminsh
Date: Fri Jun 22 14:36:37 2012
New Revision: 1352904
URL: http://svn.apache.org/viewvc?rev=1352904&view=rev
Log:
[ARIES-363] Use managed bundle's access context in doPrivileged calls
Modified:
aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java
aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java
aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java
Modified: aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java?rev=1352904&r1=1352903&r2=1352904&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java (original)
+++ aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/AbstractServiceReferenceRecipe.java Fri Jun 22 14:36:37 2012
@@ -19,6 +19,12 @@
package org.apache.aries.blueprint.container;
import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.DomainCombiner;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -81,6 +87,8 @@ public abstract class AbstractServiceRef
private final AtomicBoolean satisfied = new AtomicBoolean();
private SatisfactionListener satisfactionListener;
+ private final AccessControlContext accessControlContext;
+
protected AbstractServiceReferenceRecipe(String name,
ExtendedBlueprintContainer blueprintContainer,
ServiceReferenceMetadata metadata,
@@ -96,6 +104,14 @@ public abstract class AbstractServiceRef
this.optional = (metadata.getAvailability() == ReferenceMetadata.AVAILABILITY_OPTIONAL);
this.filter = createOsgiFilter(metadata);
+
+ if (System.getSecurityManager() != null) {
+ accessControlContext = createAccessControlContext();
+ } else
+ {
+ accessControlContext = null;
+ }
+
}
@@ -178,6 +194,46 @@ public abstract class AbstractServiceRef
return filter;
}
+ protected Object getServiceSecurely(final ServiceReference serviceReference) {
+ if (accessControlContext == null) {
+ return getBundleContextForServiceLookup().getService(
+ serviceReference);
+
+ } else {
+ // If we're operating with security, use the privileges of the bundle
+ // we're managing to do the lookup
+ return AccessController.doPrivileged(
+ new PrivilegedAction<Object>() {
+ public Object run() {
+ return getBundleContextForServiceLookup()
+ .getService(serviceReference);
+ }
+ }, accessControlContext);
+ }
+ }
+
+
+ /**
+ * We may need to execute code within a doPrivileged block, and if so, it should be the
+ * privileges of the bundle with the blueprint file that get used, not the privileges
+ * of blueprint-core. To achieve this we use an access context.
+ * @return
+ */
+ private AccessControlContext createAccessControlContext() {
+ return new AccessControlContext(AccessController.getContext(),
+ new DomainCombiner() {
+ public ProtectionDomain[] combine(ProtectionDomain[] arg0,
+ ProtectionDomain[] arg1) {
+ return new ProtectionDomain[] { new ProtectionDomain(null, null) {
+ public boolean implies(Permission permission) {
+ return getBundleContextForServiceLookup().getBundle().hasPermission(permission);
+ }
+ }
+ };
+ }
+ });
+ }
+
protected void createListeners() {
if (listenersRecipe != null) {
List<Listener> listeners = (List<Listener>) listenersRecipe.create();
Modified: aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java?rev=1352904&r1=1352903&r2=1352904&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java (original)
+++ aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceListRecipe.java Fri Jun 22 14:36:37 2012
@@ -209,7 +209,7 @@ public class ReferenceListRecipe extends
throw new ServiceUnavailableException("Service is unavailable", getOsgiFilter());
}
if (service == null) {
- service = getBundleContextForServiceLookup().getService(reference);
+ service = getServiceSecurely(reference);
}
return service;
}
Modified: aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java?rev=1352904&r1=1352903&r2=1352904&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java (original)
+++ aries/trunk/blueprint/blueprint-core/src/main/java/org/apache/aries/blueprint/container/ReferenceRecipe.java Fri Jun 22 14:36:37 2012
@@ -234,11 +234,7 @@ public class ReferenceRecipe extends Abs
} else {
if (trackedService == null) {
- trackedService = AccessController.doPrivileged(new PrivilegedAction<Object>() {
- public Object run() {
- return getBundleContextForServiceLookup().getService(trackedServiceReference);
- }
- });
+ trackedService = getServiceSecurely(trackedServiceReference);
}
if (trackedService == null) {