我在尝试实施安全策略管理代理时遇到问题 使用ConditionalPermissionAdmin检查自定义权限
我在行动书中提到了OSGi的第14章。这是很好的帮助。 以下是我的设置,我面临下面的问题(最后描述)
**** Karaf version
karaf@root> version
2.3.6
**** Added below in etc/custom.properties:
org.osgi.framework.security=osgi
com.security.policy.file=${karaf.base}/etc/security.policy
**** Added all permission policy file <KARAF_BASE>/etc/all.policy with below content:
grant { permission java.security.AllPermission; };
**** Added below in etc/system.properties:
java.security.policy=${karaf.base}/etc/all.policy
felix.keystore=file:${karaf.base}/etc/my_cert.ks
felix.keystore.pass=welcome1
felix.keystore.type=jks
**** Downloaded and copied security framework provider bundle jar (org.apache.felix.framework.security-2.4.0.jar) to the <KARAF_BASE>/system folder
<KARAF_BASE>/system/org/apache/felix/org.apache.felix.framework/security/2.4.0/org.apache.felix.framework.security-2.4.0.jar
**** Made the security provider framework jar as part of startup bundles, by adding to etc/startup.properties with below entry
org/apache/felix/org.apache.felix.framework/security/2.4.0/org.apache.felix.framework.security-2.4.0.jar=5
**** Created a custom policy file <KARAF_BASE>/etc/security.policy (with below content) for the
security policy management agent to read and enforce using ConditionalPermissionAdmin
ALLOW {
[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=core, O=core, C=IN" ]
(com.security.MyResourceAccessPermission "allow" "user1")
} "Bundles Signed by core are allowed to access the resource for user1"
ALLOW {
( java.security.AllPermission "*" "*")
} "Give all other not denied permissions to all bundles"
Note: MyResourceAccessPermission is a custom permission along with its MyResourceAccessPermissionCollection class to implement resource access only for specific users. So in the java code, user name would come as a argument which would be passed for access check like below
public void foo(String user, ...) {
AccessController.checkPermission(new MyResourceAccessPermission(MyResourceAccessPermission.ALLOW, user));
connectToResource(...);
}
**** Created an Activator (with same code as in chapter-14 of OSGi in Action) to read above custom policy file
**** I have two bundles
1) SecurityAgent.jar - the security agent management bundle that reads and initializes the ConditionalPermissionAdmin
2) MyResource.jar - this checks for MyResourceAccessPermission and access the protected resource called by the clients
3) MyResourceClient.jar - client bundle which uses MyResource.jar bundle to access the resource by passing the user name
**** Issue
When I deploy and start the above bundles, I dont see MyResourceAccessPermission being created.
But, MyResourceAccessPermissionCollection does get called for the implies() method.
Since, it does not have any MyResourceAccessPermission objects to check against, it always
returns true which always passess the security check.
Even if I pass different user name than the one defined in the policy file, it passed the security check
It looks like the listed MyResourceAccessPermission entries in custom poilcy file (security.policy)
are not getting added to (MyResourceAccessPermissionCollection) by the security manager
I have tested MyResourceAccessPermission and MyResourceAccessPermissionCollection as standalone java application with
standard security policy like below which works as expected, but I am having trouble working this in OSGi env (Karaf)
grant {
com.security.MyResourceAccessPermission "allow" "user1"
};
I am not sure what I am missing. I have beeing trying to solve this for few days, but no luck.
Any help would be great
答案 0 :(得分:0)
我得到了它的工作。以下是问题。
1)BundleSignerCondition条件字符串错误,因此未检查MyResourceAccessPermission
2)在我修复了第一个问题后,我必须修复以下政策条目:
ALLOW {
[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=core, OU=core, O=core, L=core, S=KA, C=IN" ]
(com.security.MyResourceAccessPermission "allow" "user1")
} "Bundles Signed by core are allowed to access the resource for user1"
DENY {
[ org.osgi.service.condpermadmin.BundleSignerCondition "CN=core, OU=core, O=core, L=core, S=KA, C=IN" ]
(com.security.MyResourceAccessPermission "*" "*")
} "Deny all user access"
ALLOW {
( java.security.AllPermission "*" "*")
} "Give all other not denied permissions to all bundles"
以下是我的发现:
CPA(ConditionalPermissionAdmin)按给定顺序评估政策
如果策略不暗示(implies = false),它不会抛出异常,而是尝试评估顺序中的下一个策略 这一点非常重要。如果列表中没有其他策略暗示此访问(implies = true),则假定没有定义匹配策略;因此,由于最后一次AllPermission政策,访问检查会通过