X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FSecurityProfile.java;h=9e6e3b96bd341145a4d92995e121bdaf8ec17a63;hb=7954fac52a6e7db11d9240cfbea85017c5612f19;hp=358b212b1cbaf765690f44afbcfea7df399944b3;hpb=088c1b517a543e935d8ab65c3b2fd2d0269b551d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java index 358b212b1..9e6e3b96b 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java @@ -6,11 +6,9 @@ import java.net.SocketPermission; import java.security.AllPermission; import java.util.PropertyPermission; -import javax.management.MBeanPermission; -import javax.management.MBeanServerPermission; -import javax.management.MBeanTrustPermission; import javax.security.auth.AuthPermission; +import org.argeo.node.NodeUtils; import org.osgi.framework.AdminPermission; import org.osgi.framework.Bundle; import org.osgi.framework.BundleContext; @@ -22,26 +20,35 @@ import org.osgi.service.condpermadmin.ConditionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; import org.osgi.service.condpermadmin.ConditionalPermissionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; +import org.osgi.service.permissionadmin.PermissionAdmin; import org.osgi.service.permissionadmin.PermissionInfo; -import bitronix.tm.BitronixTransactionManager; - +/** Security profile based on OSGi {@link PermissionAdmin}. */ public interface SecurityProfile { BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext(); default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin) { ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); // Self + String nodeAPiBundleLocation = locate(NodeUtils.class); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { locate(SecurityProfile.class) }) }, + new String[] { nodeAPiBundleLocation }) }, new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, ConditionalPermissionInfo.ALLOW)); + String cmsBundleLocation = locate(SecurityProfile.class); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { bc.getBundle(0).getLocation() }) }, + new String[] { cmsBundleLocation }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + String frameworkBundleLocation = bc.getBundle(0).getLocation(); + update.getConditionalPermissionInfos() + .add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { frameworkBundleLocation }) }, new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, ConditionalPermissionInfo.ALLOW)); // All @@ -107,15 +114,15 @@ public interface SecurityProfile { // ConditionalPermissionInfo.ALLOW)); // Bitronix - update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { locate(BitronixTransactionManager.class) }) }, - new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"), - new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null), - new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null), - new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"), - new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) }, - ConditionalPermissionInfo.ALLOW)); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { locate(BitronixTransactionManager.class) }) }, +// new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"), +// new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null), +// new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null), +// new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"), +// new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) }, +// ConditionalPermissionInfo.ALLOW)); // DS Bundle dsBundle = findBundle("org.eclipse.equinox.ds"); @@ -135,52 +142,68 @@ public interface SecurityProfile { ConditionalPermissionInfo.ALLOW)); // Jetty - Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty"); + // Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*/org.eclipse.jetty.*" }) }, new PermissionInfo[] { new PermissionInfo(FilePermission.class.getName(), "<>", "read,write,delete"), }, ConditionalPermissionInfo.ALLOW)); + Bundle servletBundle = findBundle("javax.servlet"); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { servletBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), + "org.glassfish.web.rfc2109_cookie_names_enforced", "read") }, + ConditionalPermissionInfo.ALLOW)); - // Blueprint - Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); - update.getConditionalPermissionInfos() - .add(permissionAdmin - .newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintExtenderBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", - "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), - new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle springCoreBundle = findBundle("org.springframework.core"); + // required to be able to get the BundleContext in the customizer + Bundle jettyCustomizerBundle = findBundle("org.argeo.ext.equinox.jetty"); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { springCoreBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintIoBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, + new String[] { jettyCustomizerBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, ConditionalPermissionInfo.ALLOW)); + // Blueprint +// Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin +// .newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintExtenderBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", +// "read"), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), +// new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle springCoreBundle = findBundle("org.springframework.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { springCoreBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintIoBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); + // Equinox Bundle registryBundle = findBundle("org.eclipse.equinox.registry"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, @@ -238,35 +261,49 @@ public interface SecurityProfile { new PermissionInfo[] { new PermissionInfo(FilePermission.class.getName(), "<>", "read,write,delete"), new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"), + new PermissionInfo(AuthPermission.class.getName(), "getSubject", null), new PermissionInfo(AuthPermission.class.getName(), "getLoginConfiguration", null), new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), }, ConditionalPermissionInfo.ALLOW)); + Bundle jackrabbitDataBundle = findBundle("org.apache.jackrabbit.data"); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { jackrabbitDataBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write") }, + ConditionalPermissionInfo.ALLOW)); Bundle jackrabbitCommonBundle = findBundle("org.apache.jackrabbit.jcr.commons"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { jackrabbitCommonBundle.getLocation() }) }, - new PermissionInfo[] { + new PermissionInfo[] { new PermissionInfo(AuthPermission.class.getName(), "getSubject", null), new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), }, ConditionalPermissionInfo.ALLOW)); - Bundle tikaCoreBundle = findBundle("org.apache.tika.core"); + + Bundle jackrabbitExtBundle = findBundle("org.argeo.ext.jackrabbit"); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { tikaCoreBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, + new String[] { jackrabbitExtBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(AuthPermission.class.getName(), "*", "*"), }, ConditionalPermissionInfo.ALLOW)); + + // Tika + Bundle tikaCoreBundle = findBundle("org.apache.tika.core"); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { tikaCoreBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"), + new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, + ConditionalPermissionInfo.ALLOW)); Bundle luceneBundle = findBundle("org.apache.lucene"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { luceneBundle.getLocation() }) }, - new PermissionInfo[] { - new PermissionInfo(FilePermission.class.getName(), "<>", - "read,write,delete"), - new PermissionInfo(PropertyPermission.class.getName(), "*", "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, - ConditionalPermissionInfo.ALLOW)); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { luceneBundle.getLocation() }) }, + new PermissionInfo[] { + new PermissionInfo(FilePermission.class.getName(), "<>", "read,write,delete"), + new PermissionInfo(PropertyPermission.class.getName(), "*", "read"), + new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, + ConditionalPermissionInfo.ALLOW)); // COMMIT update.commit();