Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 366123

Summary: Add an option to configure default security permissions
Product: [Eclipse Project] Equinox Reporter: Borislav Kapukaranov <b.kapukaranov>
Component: FrameworkAssignee: equinox.framework-inbox <equinox.framework-inbox>
Status: NEW --- QA Contact:
Severity: enhancement    
Priority: P3 CC: cvgaviao, gunnar, pnehrer, simon.goodall, tjwatson
Version: 3.7.1   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X - Carbon (unsup.)   
Whiteboard:

Description Borislav Kapukaranov CLA 2011-12-08 17:43:02 EST 
Eclipse, all Eclipse-like platforms and Equinox-based products lack a way to configure OSGi security permissions right at the framework's startup using the standard equinox launcher jar. 
This is a major draw-back for securing the platform as it could not be easily ensured a bundle security agent will always start first, so that adds a certain element of uncertainty when users try to configure that platform's security.

With this enhancement I propose to add an option to the equinox launcher that can enable configuring the OSGi security's initial set of permissions, until a security agent bundle comes into play.
To be more specific this option can accept a policy file that defines the desired permissions using the appropriate syntax (defined in the OSGi specification).

Do you feel that users can benefit from that?
Comment 1 Thomas Watson CLA 2011-12-09 11:13:52 EST 
Moving to framework since I think this option should probably be implemented in EclipseStarter.  Actually doing it in the launcher will require a fair amount of reflection since the launcher does not actually have the org.osgi classes available on its class path.


(In reply to comment #0)
> To be more specific this option can accept a policy file that defines the
> desired permissions using the appropriate syntax (defined in the OSGi
> specification).

Specifically you mean to use the format specified by org.osgi.service.condpermadmin.ConditionalPermissionInfo.getEncoded(), correct?

> 
> Do you feel that users can benefit from that?


Seems reasonable.
Comment 2 Borislav Kapukaranov CLA 2011-12-09 11:24:29 EST 
(In reply to comment #1)
> Moving to framework since I think this option should probably be implemented in
> EclipseStarter.  Actually doing it in the launcher will require a fair amount
> of reflection since the launcher does not actually have the org.osgi classes
> available on its class path.
Agreed. Looking at code, I realize I was refering to Eclipse Starter too.

> Specifically you mean to use the format specified by
> org.osgi.service.condpermadmin.ConditionalPermissionInfo.getEncoded(), correct?
Yes.

I'll try to get something running in a separate branch and bring it up for review.