You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by jonathanknez <jo...@hotmail.com> on 2018/03/09 00:42:03 UTC
Securing the /deploy folder.
I am currently using ServiceMix 7.0.1 and before that I was directly using
Karaf. I like having the ability to just drop jar files in the SMX/deploy
folder and have it installed automatically.
Now my app is going to production and I wonder what I can do to secure that
installation technique. Ideally, jar files dropped into that folder would
still get installed but only after passing a signature check; something to
verify the originator of that jar is trusted and the contents have not
changed since they built it.
This may be a stretch but is there any such capability built into Karaf? If
not, any thoughts on what technologies one might use to achieve this result?
Thanks.
--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html
Re: Securing the /deploy folder.
Posted by jonathanknez <jo...@hotmail.com>.
We have done more work in this area but have run into an issue. We
implemented our own instance of an
org.apache.felix.fileinstall.ArtifactInstaller that verifies the jar is
properly signed before doing the installation. The Felix FileInstall
instance picks up our class and calls it at the correct time. So far so
good.
The problem we have is that unsigned jars can still be installed. Our
ArtifactInstaller may only install signed jars, but the built in installers
are not so picky. Unfortunately the other installers are in the same bundle
as the FileInstall class itself. We can't just stop the bundle, because if
we do that our ArtifactInstaller never gets called. So you either have the
FileInstall, the ArtifactInstaller interface, and all the default
installers, or you have none of it.
We have opted to work around this disabling the entire Felix file install
bundle and creating our own bundle that does a similar thing. It monitors a
directory for a jar file and installs it if it is properly signed. It will
uninstall it if the file is removed. For our use case, it is an acceptable
byproduct that installation of kar, xml, and config files are no longer
allowed.
For future generations, a bundle can be installed easily from a file on
disk. You end up using the *installBundle* method on the *BundleContext
*object. Here is some example code that utilizes DS (declarative services).
@component
public class MyClass
{
@Activate
public void activate (BundleContext bc) throws Exception
{
String path = "/some/path/to/a/file.jar";
File f = new File(path);
InputStream stream = new FileInputStream(f);
Bundle b = bc.installBundle(path, stream);
System.out.println("Installed bundle "+b.getBundleId());
}
}
--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html
Re: Securing the /deploy folder.
Posted by jonathanknez <jo...@hotmail.com>.
Thank you JB. You have given us some things to look into. For future
generations, the full name of the ArtifactInstaller interface is
org.apache.felix.fileinstall.ArtifactInstaller. And here is a page that
describes how a jar can be signed,
https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html
<https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html>
.
We have plenty to research now.
--
Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html
Re: Securing the /deploy folder.
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
The deploy folder is managed by deployer.
You can create a deployer that use jarsigner to verify the jar.
A JarSigner deployer could register a ArtifactInstaller service and implement
the canHandle(), install(), uninstall() methods, delegating the the jar deployer.
NB: we have different deployers scanning the deploy folder (features, blueprint,
spring, kar, etc): it's not only jar, so it depends what the artifacts you want
to "verify".
Regards
JB
On 03/09/2018 01:42 AM, jonathanknez wrote:
> I am currently using ServiceMix 7.0.1 and before that I was directly using
> Karaf. I like having the ability to just drop jar files in the SMX/deploy
> folder and have it installed automatically.
>
> Now my app is going to production and I wonder what I can do to secure that
> installation technique. Ideally, jar files dropped into that folder would
> still get installed but only after passing a signature check; something to
> verify the originator of that jar is trusted and the contents have not
> changed since they built it.
>
> This may be a stretch but is there any such capability built into Karaf? If
> not, any thoughts on what technologies one might use to achieve this result?
> Thanks.
>
>
>
> --
> Sent from: http://karaf.922171.n3.nabble.com/Karaf-User-f930749.html
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com