OSGi Bundle Permissions on Geronimo

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OSGi Bundle Permissions on Geronimo

정재부

I am about to make a enterprise cloud OSGi web-service by using Apache Geronimo V3.0.

The final goal is to make custom BundleManager(maybe it is a bundle too) that can do simple bundle action like install/uninstall/start/stop the other bundles from any users.

Each bundle is WAB(web application bundle) and will be added in some Application Bundle.

But I encounter some critical problems which can cause security issues.

 

1. Although only BundleManager I want to make can manage the bundle's lifecycle by using BundleContext , but any bundles made by some users can use BundleContext in Activator or any  servlet in their bundles. So, for example, Bundle A(from user1) can get Bundle B(from user2) from BundleContext and Bundle A can stop or uninstall Bundle B with no permission though Bundle A is not BundleManager..

 

2. I used to run java security manager and manipulate its(Bundle A) permission. but it didn't properly work. Besides I can access Geronimo Web Admin console with no login process . I think that allpermission in the policy file cause this situation.

 

How can I achieve my goal. I heard that Composite bundle can isolate bundles, but Geronimo didn't support Composite Bundle(CBA). I really wait and appreciate all ideas. Thanks for all your help in advance :)

Reply | Threaded
Open this post in threaded view
|

Re: OSGi Bundle Permissions on Geronimo

Ivan Xu
I am not sure whether OSGi security could help on this.  But with the Bundle Hook Service API introduced in v4.3, it is possible to limit/filter the result of those methods, like getBundles(), and etc.

There are also other new APIs, which could be used to filter the services and other things. You may refer to the OSGi v4.3 core spec.

2012/8/30 JAEBOO JUNG <[hidden email]>

I am about to make a enterprise cloud OSGi web-service by using Apache Geronimo V3.0.

The final goal is to make custom BundleManager(maybe it is a bundle too) that can do simple bundle action like install/uninstall/start/stop the other bundles from any users.

Each bundle is WAB(web application bundle) and will be added in some Application Bundle.

But I encounter some critical problems which can cause security issues.

 

1. Although only BundleManager I want to make can manage the bundle's lifecycle by using BundleContext , but any bundles made by some users can use BundleContext in Activator or any  servlet in their bundles. So, for example, Bundle A(from user1) can get Bundle B(from user2) from BundleContext and Bundle A can stop or uninstall Bundle B with no permission though Bundle A is not BundleManager..

 

2. I used to run java security manager and manipulate its(Bundle A) permission. but it didn't properly work. Besides I can access Geronimo Web Admin console with no login process . I think that allpermission in the policy file cause this situation.

 

How can I achieve my goal. I heard that Composite bundle can isolate bundles, but Geronimo didn't support Composite Bundle(CBA). I really wait and appreciate all ideas. Thanks for all your help in advance :)




--
Ivan
Reply | Threaded
Open this post in threaded view
|

Re: OSGi Bundle Permissions on Geronimo

David Jencks
I don't think bundle hooks are a suitable approach to this problem.  However, if you want to pursue it further, look into the equinox regions bundle and, I'd suggest, the aries subsystem implementation.  Using bundle hooks directly is very tricky.

Have you looked at osgi conditional permission admin?  That looks like a much better fit to your problem.

thanks
david jencks

On Sep 2, 2012, at 11:12 PM, Ivan wrote:

I am not sure whether OSGi security could help on this.  But with the Bundle Hook Service API introduced in v4.3, it is possible to limit/filter the result of those methods, like getBundles(), and etc.

There are also other new APIs, which could be used to filter the services and other things. You may refer to the OSGi v4.3 core spec.

2012/8/30 JAEBOO JUNG <[hidden email]>

I am about to make a enterprise cloud OSGi web-service by using Apache Geronimo V3.0.

The final goal is to make custom BundleManager(maybe it is a bundle too) that can do simple bundle action like install/uninstall/start/stop the other bundles from any users.

Each bundle is WAB(web application bundle) and will be added in some Application Bundle.

But I encounter some critical problems which can cause security issues.

 

1. Although only BundleManager I want to make can manage the bundle's lifecycle by using BundleContext , but any bundles made by some users can use BundleContext in Activator or any  servlet in their bundles. So, for example, Bundle A(from user1) can get Bundle B(from user2) from BundleContext and Bundle A can stop or uninstall Bundle B with no permission though Bundle A is not BundleManager..

 

2. I used to run java security manager and manipulate its(Bundle A) permission. but it didn't properly work. Besides I can access Geronimo Web Admin console with no login process . I think that allpermission in the policy file cause this situation.

 

How can I achieve my goal. I heard that Composite bundle can isolate bundles, but Geronimo didn't support Composite Bundle(CBA). I really wait and appreciate all ideas. Thanks for all your help in advance :)




--
Ivan

Reply | Threaded
Open this post in threaded view
|

Re: OSGi Bundle Permissions on Geronimo

JB Jung
In reply to this post by 정재부
I greatly appreciate your advice.
I've been working very hard to find the solution of that.
As you metioned in reply, OSGi v4.3 core spec introduced some Hook services like EventHook in the package of org.osgi.framework.hooks.bundle and EventHook which work as service listener in the package of ...hooks.service.
I thought that I could handle it before some kinds of events such as Bundle Install/Stop whatever delivered to OSGi framework by BundleHost class.
But, in case of bundle event hook, If I removed any BundleContexts from collection, I could prevent the event from being delivered to the only associated bundles, not original bundle. And it is asynchronous, so tricky.
I've looked ConditionalPermissionAdmin before. And I want to try it. But If i add only -Djava.security.manager argument in the VM option, Geronimo didn't start.

thanks
JB