X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fkernel%2FSecurityProfile.java;h=e2683af678ff2b030d4df4409cff7aa029f7eb98;hb=681290ba6cddc797e8a955d06d40c054b47e2ab2;hp=358b212b1cbaf765690f44afbcfea7df399944b3;hpb=088c1b517a543e935d8ab65c3b2fd2d0269b551d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java index 358b212b1..e2683af67 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java @@ -6,9 +6,6 @@ import java.net.SocketPermission; import java.security.AllPermission; import java.util.PropertyPermission; -import javax.management.MBeanPermission; -import javax.management.MBeanServerPermission; -import javax.management.MBeanTrustPermission; import javax.security.auth.AuthPermission; import org.osgi.framework.AdminPermission; @@ -22,10 +19,10 @@ import org.osgi.service.condpermadmin.ConditionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; import org.osgi.service.condpermadmin.ConditionalPermissionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; +import org.osgi.service.permissionadmin.PermissionAdmin; import org.osgi.service.permissionadmin.PermissionInfo; -import bitronix.tm.BitronixTransactionManager; - +/** Security profile based on OSGi {@link PermissionAdmin}. */ public interface SecurityProfile { BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext(); @@ -107,15 +104,15 @@ public interface SecurityProfile { // ConditionalPermissionInfo.ALLOW)); // Bitronix - update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { locate(BitronixTransactionManager.class) }) }, - new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"), - new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null), - new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null), - new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"), - new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) }, - ConditionalPermissionInfo.ALLOW)); +// update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { locate(BitronixTransactionManager.class) }) }, +// new PermissionInfo[] { new PermissionInfo(PropertyPermission.class.getName(), "bitronix.tm.*", "read"), +// new PermissionInfo(RuntimePermission.class.getName(), "getClassLoader", null), +// new PermissionInfo(MBeanServerPermission.class.getName(), "createMBeanServer", null), +// new PermissionInfo(MBeanPermission.class.getName(), "bitronix.tm.*", "registerMBean"), +// new PermissionInfo(MBeanTrustPermission.class.getName(), "register", null) }, +// ConditionalPermissionInfo.ALLOW)); // DS Bundle dsBundle = findBundle("org.eclipse.equinox.ds"); @@ -135,7 +132,7 @@ public interface SecurityProfile { ConditionalPermissionInfo.ALLOW)); // Jetty - Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty"); + // Bundle jettyUtilBundle = findBundle("org.eclipse.equinox.http.jetty"); update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*/org.eclipse.jetty.*" }) }, @@ -144,42 +141,42 @@ public interface SecurityProfile { ConditionalPermissionInfo.ALLOW)); // Blueprint - Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); - update.getConditionalPermissionInfos() - .add(permissionAdmin - .newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintExtenderBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", - "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), - new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle springCoreBundle = findBundle("org.springframework.core"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { springCoreBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintIoBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin +// .newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintExtenderBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", +// "read"), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), +// new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle springCoreBundle = findBundle("org.springframework.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { springCoreBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintIoBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); // Equinox Bundle registryBundle = findBundle("org.eclipse.equinox.registry"); @@ -257,16 +254,14 @@ public interface SecurityProfile { new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, ConditionalPermissionInfo.ALLOW)); Bundle luceneBundle = findBundle("org.apache.lucene"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { luceneBundle.getLocation() }) }, - new PermissionInfo[] { - new PermissionInfo(FilePermission.class.getName(), "<>", - "read,write,delete"), - new PermissionInfo(PropertyPermission.class.getName(), "*", "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, - ConditionalPermissionInfo.ALLOW)); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), + new String[] { luceneBundle.getLocation() }) }, + new PermissionInfo[] { + new PermissionInfo(FilePermission.class.getName(), "<>", "read,write,delete"), + new PermissionInfo(PropertyPermission.class.getName(), "*", "read"), + new PermissionInfo(AdminPermission.class.getName(), "*", "*") }, + ConditionalPermissionInfo.ALLOW)); // COMMIT update.commit();