+

Search Tips   |   Advanced Search

Java 2 security and OSGi Applications

Use Java 2 security in OSGi applications in a similar way to Java 2 security in Java EE applications. This topic describes the aspects specific to using Java 2 security in an OSGi application.

The OSGi specifications allow us to have permissions.perm files in the OSGI-INF directory of each bundle, so that we can apply fine-grained control to the permissions for each bundle. The OSGi Applications implementation in WebSphere Application Server supports this specification, and also allows us to have a permissions.perm file in the META-INF directory of the OSGi application, which gives you coarser-grained control of the permissions for the application as a whole.

A permissions.perm file is a plain text file containing comments or single-line permissions in the following form:

# Permissions file
( org.osgi.framework.AdminPermission "*" "*" )
( org.osgi.framework.PackagePermission "*" "exportonly,import" )
( org.osgi.framework.ServicePermission "*" "get,register")
( org.osgi.framework.BundlePermission "*" "host,provide,fragment")


Relation to Java EE applications and was.policy files

These application-level permissions.perm files have a similar function to was.policy files in enterprise applications. When we convert an application from Java EE to OSGi, any existing was.policy file is converted into a permissions.perm file to be used with the OSGi permissions framework.

In the conversion, any codebases specified within the was.policy file are ignored, and all permissions specified are added to the permissions.perm file. This means that all permissions are promoted to the application level. If we need finer granularity, we can modify the file after conversion. In this case, we would remove the required permissions from the resulting permissions.perm file, and move them into permission files within the OSGI-INF directory for each affected bundle.


Default restrictions and permissions

Every OSGi application has the following default restrictions and permissions, whether or not it has a permissions.perm file. Use a permissions.perm file to add extra restrictions and permissions, or to override default restrictions and permissions.

Default restrictions:

("org.osgi.framework.ServicePermission", "org.osgi.service.condpermadmin.ConditionalPermissionAdmin", "*")
("org.osgi.framework.ServicePermission", "org.osgi.service.permissionadmin.PermissionAdmin", "*")
("org.osgi.framework.ServicePermission", "org.osgi.service.framework.CompositeBundleFactory", "*")
("org.osgi.framework.ServicePermission", "org.osgi.framework.hooks.service.*", "*")
("org.osgi.framework.ServicePermission", "org.osgi.service.packageadmin.PackageAdmin", "*")
Default permissions:
("org.osgi.framework.PackagePermission", "*", "import")
("org.osgi.framework.BundlePermission", "*", "host,provide,fragment")

Any OSGi application with no permissions.perm file also has the following extra permissions:

("java.io.FilePermission", "<application_path>/-", "read,write")
("java.io.FilePermission", "<application_configpath>/-", "read")
("java.lang.RuntimePermission", "loadLibrary.*", "*")
("java.lang.RuntimePermission", "queuePrintJob", "*")
("java.net.SocketPermission", "*", "connect")
("java.util.PropertyPermission", "*", "read")
("org.osgi.framework.PackagePermission", "*", "exportonly,import")
("org.osgi.framework.ServicePermission", "*", "get,register")


Related:

  • Java 2 security
  • Secure OSGi applications
  • Deploy an OSGi application as a business-level application
  • OSGi Service Platform Release 4 Version 4.2 Enterprise Specification
  • Converting an enterprise application to an OSGi application
  • Converting Java 2 security settings in an enterprise application to OSGi




    File name: was330.html

    prettyPrint();