Previous Topic

Next Topic

Book Contents

Book Index
Permission Admin service

The PermissionAdmin service allows bundles of administration type to assign permissions to bundles. These permissions are based on the location of the bundles and may remain after framework restarts. The bundle location/permission collection pairs are kept in a permission table with locations being the keys. If there is no table entry for the location of a bundle, then a default set of permissions is used for check.

Overview

The PermissionAdmin service is specified by OSGi and is available when the framework is started with security (refer to the "Starting the framework with security" section in the Starting the framework document). The service is published under the org.osgi.service.permissionadmin.PermissionAdmin and com.prosyst.mbs.framework.permissionadmin.PermissionAdmin interfaces. The org.osgi.service.permissionadmin.PermissionAdmin is termed by the OSGi Permission Admin service. The extension to the OSGi Permission Admin contains methods for retrieving the trusted certificate chains and the certificates of a signed bundle JAR, as well as for matching the distinguished name of a certificate against a specified pattern.

Registering bundle

This service is registered by the System bundle.

Setting permissions

The assigned permissions are represented by the org.osgi.service.permissionadmin.PermissionInfo objects. Each PermissionInfo instance wraps the permission type (that is, a subclass of java.security.Permission), the permission name and the permission actions. Note that the permission type should have a constructor with two arguments – the permission name and actions.

To be able to set permissions dynamically at bundle installation, you may implement org.osgi.framework.SynchronousBundleListener to wait for bundle events associated with bundle installations. Then, you can check the permission of installed bundles and assign new ones before bundles are started. In this way, you do not have to preliminary know what bundles are to be installed.

The code example below assigns org.osgi.framework.PackagePermission with action "import" and org.osgi.framework.ServicePermission with action "get" to each bundle that is installed afterwards. The snippet implements SynchronousBundleListener and in this way, when it is notified about a bundle being installed, it dynamically attaches the permissions to the bundle location.

The following example shows how to use the OSGi Permission Admin service.

  import org.osgi.service.permissionadmin.PermissionAdmin;
  import org.osgi.service.permissionadmin.PermissionInfo;
  import org.osgi.framework.BundleActivator;
  import org.osgi.framework.BundleContext;
  import org.osgi.framework.ServiceReference;
  import org.osgi.framework.SynchronousBundleListener;
  import org.osgi.framework.BundleEvent;

  public class PermissionTest implements BundleActivator,
                                         SynchronousBundleListener {
    ServiceReference sRef = null;
    PermissionAdmin pAdmin = null;
    String sName = "org.osgi.service.permissionadmin.PermissionAdmin";
    String permType1 = "org.osgi.framework.PackagePermission";
    String permType2 = "org.osgi.framework.ServicePermission";
  
    public void start(BundleContext bc) {
      sRef = bc.getServiceReference(sName);
      if(sRef != null) {
        pAdmin = (PermissionAdmin)bc.getService(sRef);
        // Registering the SynchronousBundleListener
        bc.addBundleListener(this);
      } else {
        System.out.println("The Permission Admin Service is not active.");
      }
    }
  
    public void stop(BundleContext bc) {
      bc.removeBundleListener(this);
      bc.ungetService(sRef);
    }
    
    // Implemented from SynchronousBundleListener
    public void bundleChanged(BundleEvent bEv) {
      if(bEv.getType() == BundleEvent.INSTALLED) {
        // Defining permissions
        PermissionInfo[] perms = new PermissionInfo[2];
        perms[0] = new PermissionInfo(permType1, "package_to_import", "import");
        perms[1] = new PermissionInfo(permType2, "service_to_get", "get");
        String location = bEv.getBundle().getLocation();
        // Setting permissions to the locations of installed bundles
        pAdmin.setPermissions(location, perms);
        System.out.println("Assigning permissions to: " + location);
      }
      String[] locs = pAdmin.getLocations();
      for(int i=0; i < locs.length; i++) {
        System.out.println("Locations with assigned permissions: " + locs[i]);
      }
    }
  }

The PermissionAdmin service can be used only by bundles that own org.osgi.framework.AdminPermission.

A more detailed description of the OSGi Permission Admin service is available in the OSGi Permission Admin Service Specification and of the extension – in the API documentation.