tags:

views:

22

answers:

1
+2  Q: 

Is there a way to secure access to bundles in OSGi?

I have an application consisting of several OSGi bundles. I would like to enforce that some of them only provide other bundles access to their services if a valid token (e. g. a license key) has been presented.

Here's why I would want to restrict access to those bundles:

  • Security: They don't have their own access policies because these depend on what application is using the bundle. This means they have to trust in the client bundle to have verified the permissions of the application or user they are representing. I would like to keep control over what access control schemes I trust.
  • Reliability: I allow and encourage the development of third-party modules to add functionality to my system. To be able to guarantee some reliability, I want to control at which level those extensions interact with my system. Also, I want to make sure that my own bundles are only used in combinations that have been tested.
  • Licensing: There might be functionality in some modules that can only be used with the proper license, or, I might want to ensure that customers can't swap bundles between different installations.

I have read some about the ServicePermission class and related from the OSGi framework, but it appears to me that these let the site administrator control the access policy, as opposed to the bundle manufacturer, which is what I want.

+1  A: 

Your use-case seems to be quite complex, so I'm not sure if this answers your question fully. However you might take a look at Service Hooks, a new feature added in OSGi Release 4, Version 4.2.

With Find Hook it should be possible to "look at, and reduce, the results of the getServiceReference and getServiceReferences methods. This hook can remove Service Reference objects from the result, also effectively hiding the service from the caller." (from article written by Peter Kriens)

Using this feature you can implement your own mechanism for client bundles to "authorize" themselves to access specific services (or conversely "inspect" the client bundle to determine if access to a specific service should be granted).

Pavol Juhos  2009-11-26 17:45:18

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security