Use the default java security policy if no security provider is present and don't check for allpermission if an extension bundle is installed and there is no security manager present. (FELIX-3961,FELIX-3950)
git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@1454470 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java b/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java
index 2095960..061105c 100644
--- a/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java
+++ b/framework/src/main/java/org/apache/felix/framework/BundleProtectionDomain.java
@@ -43,11 +43,13 @@
new CodeSource(
Felix.m_secureAction.createURL(
Felix.m_secureAction.createURL(null, "location:", new FakeURLStreamHandler()),
- bundle._getLocation(),
+ bundle._getLocation().startsWith("reference:") ?
+ bundle._getLocation().substring("reference:".length()) :
+ bundle._getLocation(),
new FakeURLStreamHandler()
),
(Certificate[]) certificates),
- null);
+ null, null, null);
m_felix = new WeakReference(felix);
m_bundle = new WeakReference(bundle);
m_revision = new WeakReference(bundle.adapt(BundleRevisionImpl.class));
@@ -67,6 +69,11 @@
felix.impliesBundlePermission(this, permission, false) : false;
}
+ boolean superImplies(Permission permission)
+ {
+ return super.implies(permission);
+ }
+
public boolean impliesDirect(Permission permission)
{
Felix felix = (Felix) m_felix.get();
@@ -101,4 +108,4 @@
{
return m_toString;
}
-}
\ No newline at end of file
+}
diff --git a/framework/src/main/java/org/apache/felix/framework/ExtensionManager.java b/framework/src/main/java/org/apache/felix/framework/ExtensionManager.java
index 3d774dd..002cea3 100644
--- a/framework/src/main/java/org/apache/felix/framework/ExtensionManager.java
+++ b/framework/src/main/java/org/apache/felix/framework/ExtensionManager.java
@@ -330,13 +330,13 @@
Object sm = System.getSecurityManager();
if (sm != null)
{
- ((SecurityManager) sm).checkPermission(
- new AdminPermission(bundle, AdminPermission.EXTENSIONLIFECYCLE));
- }
+ ((SecurityManager) sm).checkPermission(
+ new AdminPermission(bundle, AdminPermission.EXTENSIONLIFECYCLE));
- if (!((BundleProtectionDomain) bundle.getProtectionDomain()).impliesDirect(new AllPermission()))
- {
- throw new SecurityException("Extension Bundles must have AllPermission");
+ if (!((BundleProtectionDomain) bundle.getProtectionDomain()).impliesDirect(new AllPermission()))
+ {
+ throw new SecurityException("Extension Bundles must have AllPermission");
+ }
}
String directive = ManifestParser.parseExtensionBundleHeader((String)
diff --git a/framework/src/main/java/org/apache/felix/framework/Felix.java b/framework/src/main/java/org/apache/felix/framework/Felix.java
index 354da5f..97dc6e7 100644
--- a/framework/src/main/java/org/apache/felix/framework/Felix.java
+++ b/framework/src/main/java/org/apache/felix/framework/Felix.java
@@ -170,6 +170,9 @@
// Security Manager created by the framework
private SecurityManager m_securityManager = null;
+ // Do we need to consult the default java security policy if no security provider is present?
+ private volatile boolean m_securityDefaultPolicy;
+
/**
* <p>
* This constructor creates a framework instance with a specified <tt>Map</tt>
@@ -283,6 +286,11 @@
* unsupported fragment bundles throws an exception or logs a warning.
* Possible values are "<tt>exception</tt>" or "<tt>warning</tt>". The
* default value is "<tt>exception</tt>".
+ * </li>
+ * <li><tt>felix.security.defaultpolicy</tt> - Flag to indicate whether
+ * to consult the default java securtiy policy if no security extension
+ * is present. The default value is "<tt>false</tt>".
+ * </li>
* </ul>
* <p>
* The <a href="Main.html"><tt>Main</tt></a> class implements some
@@ -363,6 +371,9 @@
m_bootPkgs[i] = s;
}
+ // Read the security default policy property
+ m_securityDefaultPolicy = "true".equals(getProperty(FelixConstants.SECURITY_DEFAULT_POLICY));
+
// Create default bundle stream handler.
m_bundleStreamHandler = new URLHandlersBundleStreamHandler(this);
@@ -4288,7 +4299,13 @@
{
return m_securityProvider.hasBundlePermission(bundleProtectionDomain, permission, direct);
}
- return true;
+ else
+ {
+ Bundle source = bundleProtectionDomain.getBundle();
+
+ return (m_securityDefaultPolicy && (source == null || source.getBundleId() != 0)) ?
+ bundleProtectionDomain.superImplies(permission) : true;
+ }
}
private BundleActivator createBundleActivator(Bundle impl)
diff --git a/framework/src/main/java/org/apache/felix/framework/util/FelixConstants.java b/framework/src/main/java/org/apache/felix/framework/util/FelixConstants.java
index df8ba28..511657c 100644
--- a/framework/src/main/java/org/apache/felix/framework/util/FelixConstants.java
+++ b/framework/src/main/java/org/apache/felix/framework/util/FelixConstants.java
@@ -64,4 +64,5 @@
// Miscellaneous properties values.
String FAKE_URL_PROTOCOL_VALUE = "location:";
String FELIX_EXTENSION_ACTIVATOR = "Felix-Activator";
-}
\ No newline at end of file
+ String SECURITY_DEFAULT_POLICY = "felix.security.defaultpolicy";
+}