Java 2 security and OSGi Applications

You can use Java™ 2 security in OSGi applications in a similar way to Java 2 security in Java EE applications. This topic describes the aspects that are specific to using Java 2 security in an OSGi application.

The OSGi specifications allow you to have permissions.perm files in the OSGI-INF directory of each bundle, so that you can apply fine-grained control to the permissions for each bundle. The OSGi Applications implementation in WebSphere® Application Server supports this specification, and also allows you to have a permissions.perm file in the META-INF directory of the OSGi application, which gives you coarser-grained control of the permissions for the application as a whole.

A permissions.perm file is a plain text file that contains comments or single-line permissions in the following form:

# Permissions file
( org.osgi.framework.AdminPermission "*" "*" )
( org.osgi.framework.PackagePermission "*" "exportonly,import" )
( org.osgi.framework.ServicePermission "*" "get,register")
( org.osgi.framework.BundlePermission "*" "host,provide,fragment")

Relation to Java EE applications and was.policy files

These application-level permissions.perm files have a similar function to was.policy files in enterprise applications. When you convert an application from Java EE to OSGi, any existing was.policy file is converted into a permissions.perm file to be used with the OSGi permissions framework.

In the conversion, any codebases specified within the was.policy file are ignored, and all permissions specified are added to the permissions.perm file. This means that all permissions are promoted to the application level. If you need finer granularity, you can modify the file after conversion. In this case, you would remove the required permissions from the resulting permissions.perm file, and move them into permission files within the OSGI-INF directory for each affected bundle.

Default restrictions and permissions

Every OSGi application has the following default restrictions and permissions, whether or not it has a permissions.perm file. You can use a permissions.perm file to add extra restrictions and permissions, or to override default restrictions and permissions.

Default restrictions:

("org.osgi.framework.ServicePermission", "org.osgi.service.condpermadmin.ConditionalPermissionAdmin", "*")
("org.osgi.framework.ServicePermission", "org.osgi.service.permissionadmin.PermissionAdmin", "*")
("org.osgi.framework.ServicePermission", "org.osgi.service.framework.CompositeBundleFactory", "*")
("org.osgi.framework.ServicePermission", "org.osgi.framework.hooks.service.*", "*")
("org.osgi.framework.ServicePermission", "org.osgi.service.packageadmin.PackageAdmin", "*")

Default permissions:

("org.osgi.framework.PackagePermission", "*", "import")
("org.osgi.framework.BundlePermission", "*", "host,provide,fragment")

Any OSGi application that has no permissions.perm file also has the following extra permissions:

("java.io.FilePermission", "<application_path>/-", "read,write")
("java.io.FilePermission", "<application_configpath>/-", "read")
("java.lang.RuntimePermission", "loadLibrary.*", "*")
("java.lang.RuntimePermission", "queuePrintJob", "*")
("java.net.SocketPermission", "*", "connect")
("java.util.PropertyPermission", "*", "read")
("org.osgi.framework.PackagePermission", "*", "exportonly,import")
("org.osgi.framework.ServicePermission", "*", "get,register")