The OSGi Security Manager allows you to secure your applications by utilizing the built in Java Security Manager and Java's permission system. This does not provide security in the sense that a lot of people tend to think of it: authentication, authorization, etc. The Security Manager allows you to assign/revoke permissions to/from code with a policy.
...
You can also opt to use a custom SecurityManager class by dropping in the standard Java system property instead of using this OSGi specific property. You cannot use both properties at the same time. Adding the Java system property will have the same effect as the above property, except that it will use your custom SecurityManager implmentation, for example:
java.security.manager=net.sourceforge.prograde.sm.ProGradeJSM
You then must add an "all policy" that will allow all of the non-OSGi code to execute with all privileges:
...
| Filter by label (Content by label) |
|---|
| showLabels | false |
|---|
| max | 5 |
|---|
| spaces | com.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@107c6 |
|---|
| showSpace | false |
|---|
| sort | modified |
|---|
| reverse | true |
|---|
| type | page |
|---|
| cql | label in ("osgi","java","security") and type = "page" and space = "DDF" |
|---|
| labels | Java Security OSGi |
|---|
|
Potential False Positives
Occasionally, the acdebugger will log denied permissions which have no apparent effect on the attached DDF. If you encounter such an error, please document it here for further investigation.
| Operation (Include steps to reproduce) | Denied Permissions | Classification |
|---|
| Attach to running DDF using client script | {org.jline=[java.io.FilePermission "<<ALL FILES>>", "execute"]} | Expected |
$ profile:install standard | Linux (CentOS 7 - varies by distro): {org.eclipse.jetty.util=[java.io.FilePermission "/", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/console", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/mqueue", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/pts", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/shm", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/etc/hostname", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/etc/hosts", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/etc/resolv.conf", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/mnt", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/proc", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/blkio", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/cpuacct,cpu", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/cpuset", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/devices", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/freezer", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/hugetlb", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/memory", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/net_prio,net_cls", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/perf_event", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/pids", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/systemd", "read"]} Windows: {org.apache.cxf.cxf-rt-transports-http=[java.io.FilePermission "\dev\urandom", "read”]} |  |
...