Hi!
In our application we want to use JAAS to authenticate
and authorise users and their access to defined functions.
Therefore I have activated OSGi Security and added
the correct AllPermission-Policy and the Equinox FrameworkSecurityManager while
starting the application.
Performing “normal”
checkPermission-Operations all security evaluations are executed as expected.
You can use the specific bundle permissions and the call stack is considered in
the right way.
However, using a Subject.doAsPrivileged call to
perform operations as a specific user, the ProtectionDomains of the bundles are
not considered and the user has always AllPermission.
Googling for this behaviour I found a bug report in
the Felix bug database https://issues.apache.org/jira/browse/FELIX-654
describing this problem.
Using Equinox, can this happen the same way? And is
there a proper workaround for this problem or is it not possible to use
Subject.doAsPrivileged at the moment?
Thanks for your help
Florian Pepping
By the way, here are the AccessControlContexts before
the Subject.doAsPrivileged and within the Subject.doAsPrivileged call:
Before the Subject.doAsPrivileged call:
ProtectionDomain (file:/D:/Sandboxes/DS/src/com.test/classes/
<no signer certificates>)
null
<no principals>
org.eclipse.osgi.framework.internal.core.BundleCombinedPermissions@5d72e2
( à here
I have a BundleCombinedPermission
)
With the Subject.doAsPrivileged call:
ProtectionDomain (file:/D:/Sandboxes/DS/src/com.test/classes/
<no signer certificates>)
null
<no principals>
java.security.Permissions@39d3d3 ( à here I have a “normal”
PermissionCollection for this CodeBase
(java.security.AllPermission
<all permissions> <all actions>)
)