2

I have an Eclipse RCP application with some sensitive properties. The properties will be encrypted, based on a secret key entered by the user. Bundles / Plug-ins define properties, and whether or not they should be encrypted. The trick is this: The bundle that defines the property should be the only bundle that is allowed to then access that property decrypted (by default). I understand that normally each bundle should have it's own properties managed independently, but this isn't possible since the properties are retrieved from a centralized location.

I.e., how can I do this:

public byte[] getByteArrayProperty(Object id){
 if (method is being called by code in bundle: bundleId)
   return decrypt(property);
 else
   throw new SecurityException("Bundle " + bundleId + " not authorized to access property " + id);
}

Thanks for any and all suggestions!

./P

Phaedrus
  • 487
  • 7
  • 15
  • 1
    Why not have a service (e.g. `PropertyRepository`), that will provide a method such as `storeProperty(password)`, and `getProperties(password)` that will store/retrieve properties by using the id of the calling bundle as the key to the store? Then each bundle will only need to generate a unique password (random hash?), that it will use to store/retrieve. If you want - you can hardcode a password across a collection of related bundles. – Andriy Drozdyuk Feb 23 '12 at 18:41
  • Not a bad idea, but anybody could just read the source code to find the passwords – Phaedrus Feb 23 '12 at 20:00
  • 2
    Ok, how about turning on security, and allowing only those certain bundles the permissions to make that call? This would even get rid of the password. Some presentation on security (but osgi specs have it in much more detail): http://felix.apache.org/site/presentations.data/Building%20Secure%20OSGi%20Applications%20Workshop.pdf – Andriy Drozdyuk Feb 23 '12 at 20:07
  • It's a little bit TMI. I suppose i was hoping to turn a weeks worth of work deciphering that document into this here S/O question :) – Phaedrus Feb 23 '12 at 21:05

1 Answers1

1

You could use a SecurityManager to identify the calling class as explained in this answer, and then check if package of the calling class is the same as the package(s) in your bundle.

Community
  • 1
  • 1
Cebence
  • 2,406
  • 2
  • 19
  • 20
  • There's a problem with this approach. I can get the className of the calling class, but there seems to be no way to get the bundle from the className. Class.forName(className) fails because ClassLoader from package A has no idea about classes in package B unless they're imported explicitly, which I can't do. – Phaedrus Apr 18 '12 at 14:55
  • If the bundles are not named the same way as the packages then you have to query the bundles for its contents as described in [this question](http://stackoverflow.com/questions/785588/). – Cebence Apr 19 '12 at 22:35