Subject.doAs is not considered by the spec and doesn't work well with the current approach we have inside the framework. This commit makes it work based on the current security policy installed. Furthermore, it is now possible (and needed) to assign permissions to bundles via the security policy (based on the bundle location - not certificates). In other words, as of now, correct permissions have to be assigned to the framework and bundles using the java security policy based on either the codesource or the subject, if subject.doAs is used. This is possible because bundles do have a codesource now and the bundle protection domain asks the installed policy for permissions in case no security provider is installed. (FELIX-654)

git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@683310 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java b/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java
index 9cf0b1f..11ceb6a 100644
--- a/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java
+++ b/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java
@@ -18,17 +18,24 @@
  */
 package org.apache.felix.framework;
 
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.CodeSource;
 import java.security.Permission;
 import java.security.ProtectionDomain;
+import java.security.cert.Certificate;
 
 public class BundleProtectionDomain extends ProtectionDomain
 {
     private final Felix m_felix;
     private final FelixBundle m_bundle;
 
-    public BundleProtectionDomain(Felix felix, FelixBundle bundle)
+    public BundleProtectionDomain(Felix felix, FelixBundle bundle) 
+        throws MalformedURLException
     {
-        super(null, null);
+        super(new CodeSource(new URL(new URL(null, "location:", 
+            new FakeURLStreamHandler()), felix.getBundleLocation(bundle), 
+            new FakeURLStreamHandler()), (Certificate[]) null), null);
         m_felix = felix;
         m_bundle = bundle;
     }
@@ -61,7 +68,7 @@
         }
         return m_bundle == ((BundleProtectionDomain) other).m_bundle;
     }
-    
+
     public String toString()
     {
         return "[" + m_bundle + "]";
diff --git a/framework/src/main/java/org/apache/felix/framework/Felix.java b/framework/src/main/java/org/apache/felix/framework/Felix.java
index 7793b36..a9bdd5d 100644
--- a/framework/src/main/java/org/apache/felix/framework/Felix.java
+++ b/framework/src/main/java/org/apache/felix/framework/Felix.java
@@ -3402,6 +3402,10 @@
         {
             return m_securityProvider.hasBundlePermission(bundleProtectionDomain, permission, direct);
         }
+        else if ((bundleProtectionDomain.getBundle() != this) && (System.getSecurityManager() != null))
+        {
+            return m_secureAction.getPolicy().implies(bundleProtectionDomain, permission);
+        }
         return true;
     }