X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FSecurityProfile.java;h=127cb9a8a6207928f3b93f2475629c7e4ef951e4;hb=3c7803ca05e2b0276d635e64046d924d3f1884c9;hp=7d5242fa268dd026ac264a9f105149700ae776bb;hpb=810aecacb19916bade7e4bcfcbbb54c301f672df;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java index 7d5242fa2..127cb9a8a 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java @@ -8,6 +8,7 @@ import java.util.PropertyPermission; import javax.security.auth.AuthPermission; +import org.argeo.api.NodeUtils; import org.osgi.framework.AdminPermission; import org.osgi.framework.Bundle; import org.osgi.framework.BundleContext; @@ -19,24 +20,35 @@ import org.osgi.service.condpermadmin.ConditionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; import org.osgi.service.condpermadmin.ConditionalPermissionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; +import org.osgi.service.permissionadmin.PermissionAdmin; import org.osgi.service.permissionadmin.PermissionInfo; +/** Security profile based on OSGi {@link PermissionAdmin}. */ public interface SecurityProfile { BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext(); default void applySystemPermissions(ConditionalPermissionAdmin permissionAdmin) { ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); // Self + String nodeAPiBundleLocation = locate(NodeUtils.class); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { locate(SecurityProfile.class) }) }, + new String[] { nodeAPiBundleLocation }) }, new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, ConditionalPermissionInfo.ALLOW)); + String cmsBundleLocation = locate(SecurityProfile.class); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { bc.getBundle(0).getLocation() }) }, + new String[] { cmsBundleLocation }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + String frameworkBundleLocation = bc.getBundle(0).getLocation(); + update.getConditionalPermissionInfos() + .add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { frameworkBundleLocation }) }, new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, ConditionalPermissionInfo.ALLOW)); // All @@ -137,45 +149,61 @@ public interface SecurityProfile { new PermissionInfo[] { new PermissionInfo(FilePermission.class.getName(), "<>", "read,write,delete"), }, ConditionalPermissionInfo.ALLOW)); + Bundle servletBundle = findBundle("javax.servlet"); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { servletBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), + "org.glassfish.web.rfc2109_cookie_names_enforced", "read") }, + ConditionalPermissionInfo.ALLOW)); - // Blueprint - Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); + // required to be able to get the BundleContext in the customizer + Bundle jettyCustomizerBundle = findBundle("org.argeo.ext.equinox.jetty"); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); - update.getConditionalPermissionInfos() - .add(permissionAdmin - .newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintExtenderBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", - "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), - new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle springCoreBundle = findBundle("org.springframework.core"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { springCoreBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintIoBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, + new String[] { jettyCustomizerBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, ConditionalPermissionInfo.ALLOW)); + // Blueprint +// Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin +// .newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintExtenderBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", +// "read"), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), +// new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle springCoreBundle = findBundle("org.springframework.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { springCoreBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintIoBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); + // Equinox Bundle registryBundle = findBundle("org.eclipse.equinox.registry"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, @@ -233,24 +261,40 @@ public interface SecurityProfile { new PermissionInfo[] { new PermissionInfo(FilePermission.class.getName(), "<>", "read,write,delete"), new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"), + new PermissionInfo(AuthPermission.class.getName(), "getSubject", null), new PermissionInfo(AuthPermission.class.getName(), "getLoginConfiguration", null), new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), }, ConditionalPermissionInfo.ALLOW)); + Bundle jackrabbitDataBundle = findBundle("org.apache.jackrabbit.data"); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { jackrabbitDataBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write") }, + ConditionalPermissionInfo.ALLOW)); Bundle jackrabbitCommonBundle = findBundle("org.apache.jackrabbit.jcr.commons"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { jackrabbitCommonBundle.getLocation() }) }, - new PermissionInfo[] { + new PermissionInfo[] { new PermissionInfo(AuthPermission.class.getName(), "getSubject", null), new PermissionInfo(AuthPermission.class.getName(), "createLoginContext.Jackrabbit", null), }, ConditionalPermissionInfo.ALLOW)); - Bundle tikaCoreBundle = findBundle("org.apache.tika.core"); + + Bundle jackrabbitExtBundle = findBundle("org.argeo.ext.jackrabbit"); update.getConditionalPermissionInfos() .add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { tikaCoreBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, + new String[] { jackrabbitExtBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(AuthPermission.class.getName(), "*", "*"), }, ConditionalPermissionInfo.ALLOW)); + + // Tika + Bundle tikaCoreBundle = findBundle("org.apache.tika.core"); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { tikaCoreBundle.getLocation() }) }, + new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "*", "read,write"), + new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, + ConditionalPermissionInfo.ALLOW)); Bundle luceneBundle = findBundle("org.apache.lucene"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),