Blocking system.exit in OSGi (Part IV)

Hey, I finally made it. After seeking for more help on the felix list (didn’t help any) I got into the problem and solved it. Here is the complete set of what you need to get around the issue of an system.exit in your Bundle.

First of all you need to configure the availability of a SecurityManager with your Framework. Now the following Changes should work both with Equinox and Felix.
The second thing you need to know about is the PermissionAdmin Service Specification.

Configuration using Equinox

Now you need the following configured in your Apache Karaf Server:
custom.properties:

karaf.framework=equinox
org.osgi.framework.security=osgi

system.properties:

java.security.policy=${karaf.base}/etc/all.policy

here you just have to configure the policy file.
So the configuration of the SecurityManager is quite Simple, now to prevent System.exit from crashing the server we need the PermissionAdmin Service which is a standard service available with Equinox. For the PermissionAdmin Service to work you need an addional file within your Bundle the permissions.perm file which is located within the OSGI-INF folder of your jar archive.
The permissions.perm should contain the following:

(org.osgi.framework.PackagePermission "*" "IMPORT")

Make shure not to add the java.security.RuntimePermission „exitVM“ because this one enables System.exit(0). Depending on your Use-Case you might need additional Permissions.
Now with these Permissions set the call to System.exit() is blocked through a security constraint causing a SystemException. Again here with the PermissionAdmin Service we end up with the same problem as with the standard Java Security policy files. You are only able to set the allowed permissions, you are not able to disable any permission. Still it worked since around a boundle usually there isn’t much which needs Security Permissions (at least shouldn’t).

One other solution to this would be using the ConditionalPermissionAdmin Service. The issue with this one is, it is not part of the Equinox Framework and you are not able to set the configuration of the ConditionalPermissionAdmin service with the permissions.perm file. The ConditionalPermissionAdmin Service always needs special handling.

Configuration using Felix
custom.properties:

org.osgi.framework.security=osgi

system.properties:

java.security.policy=${karaf.base}/etc/all.policy

startup.properties:

org/apache/felix/org.apache.felix.security/
1.4.0/org.apache.felix.framework.security-1.4.0.jar=1

With these set, the SecurityManager takes care of the System.exit().

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.


*