|
|
|
|
|
|
|
Re: Extend RCP to restrict third party plugins [message #436684 is a reply to message #436675] |
Wed, 14 September 2005 22:16 |
Alex Blewitt Messages: 946 Registered: July 2009 |
Senior Member |
|
|
If you're really serious about wanting to restrict items, what about using plain old file permissions? Just have the plugins/ folder writable only by an administrator group, but readable to the rest of the world. That way, no-one can add other items into it, which looks like what you want to do.
Of course, if you just want to use some of Eclipse's functionality (like SWT or JFace) then you could just bundle those Jars and leave out the plugin frameworks.
If you really want to add boot-time checking to a system, then you could always modify Startup.jar. An easier, but potentially less secure, workaround would be to modify your initial plugins to do a search of the IExtensionRegistry to find all known plugins, and then abort if the plugins aren't found.
But frankly, I think you're going to get a lot more calls like 'Eclipse won't start up because it's complaining about an unknown plugin' rather than 'The plugin made it crash' :-) Don't forget that Eclipse has multiple configurations, even with Update Manager, and you can get them to roll back to a last-known-good configuration in a matter of minutes.
|
|
|
Re: Extend RCP to restrict third party plugins [message #436690 is a reply to message #436684] |
Thu, 15 September 2005 03:35 |
Jeff McAffer Messages: 104 Registered: July 2009 |
Senior Member |
|
|
The usecase of locking down an Eclipse configuration is real. We get asked
about it from several different communities. So, what can you do about it?
1) If your app is small (i.e., few plugins) and you don't want update
technology, simply don't include org.eclipse.update.configurator in your
distribution. This is the guy who helpfully discovers and installs the
random plugins you mention.
2) If your app is bigger but you still don't want to use update, you can
write your own configurator. The code is pretty easy (see EclipseStarter
where is handles the osgi.bundles list for an example of installing bundles
in code). Here you can literally do anything you want. Fetch plugins from
a server, install, uninstall, ...
3) if you want to use update technology but don't want the auto discovery
right now the only way to do that is to mark the <site> with the
MANAGED-ONLY policy in the platform.xml. Normally apps do not ship with a
platform.xml as the configurator will automatically discover
plugins/features and create the file for you. In this case you simply ship
your app with a preconfigured file in confgiruation/org.eclipse.update.
There is some interesting reference doc in the help (search for
"platform.xml")
There may be some more but that covers the main ones.
Going forward we are pressing on several fronts. As pointed out, the
Equinox project is looking at various security issues. We hope to have some
login based provision technology in 3.2.
As always, your thoughts and contributions are more than welcomed.
Especially in the area of security.
Jeff
"Alex Blewitt" <alex_blewitt@yahoo.com> wrote in message
news:3336516.1126736218234.JavaMail.root@cp1.javalobby.org...
> If you're really serious about wanting to restrict items, what about using
plain old file permissions? Just have the plugins/ folder writable only by
an administrator group, but readable to the rest of the world. That way,
no-one can add other items into it, which looks like what you want to do.
>
> Of course, if you just want to use some of Eclipse's functionality (like
SWT or JFace) then you could just bundle those Jars and leave out the plugin
frameworks.
>
> If you really want to add boot-time checking to a system, then you could
always modify Startup.jar. An easier, but potentially less secure,
workaround would be to modify your initial plugins to do a search of the
IExtensionRegistry to find all known plugins, and then abort if the plugins
aren't found.
>
> But frankly, I think you're going to get a lot more calls like 'Eclipse
won't start up because it's complaining about an unknown plugin' rather than
'The plugin made it crash' :-) Don't forget that Eclipse has multiple
configurations, even with Update Manager, and you can get them to roll back
to a last-known-good configuration in a matter of minutes.
|
|
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.06435 seconds