Building Secure OSGi Applications

Modern applications and software solutions increasingly center around loosely coupled and extensible architectures. Component or service orientation is applied in almost all areas of application development including distributed systems, ubiquitous computing, embedded systems, and client-side applications.

The Java based OSGi framework specification lends itself well as a platform for loosely coupled and extensible applications and is rapidly gaining ground as the de-facto plugin solution for Java based applications. It allows for lightweight implementations that limit themselves to the CDC profile and are ideally suited as embedded plugin frameworks.

One of the main drawbacks of dynamically extensible applications, however, are the potential security issues that arise due to executing untrusted code without appropriated safety-measures in place. Secure sandboxes and their restrictions are difficult to get right and often hard to deal with in the development of applications. The OSGi specifications have an extensive and very powerful security model that eases this difficult task. This session focuses on embedding various OSGi framework implementations namely, Eclipse Equinox and Apache Felix, into applications as a means of plugin mechanism while taking advantage of the often overlooked benefits of this solution: security.

During the session we describe a fully functional client application that can be extended at runtime through components out of remote repositories that subsequently, run in a secure sandbox. The OSGi Bundle Repository (OBR) service will be used and explained to publish, discover, and deploy plugins together with the transitive closure over the dependencies.

The application will restrict access to system resources as well as to other components and their services based on various criteria ranging from the remote location of an individual component, over its associated digital certificates, to user interaction. This demonstrates how to allow or deny permissions based on certain conditions, how to embed a security enabled OSGi framework implementation, and how to publish, discover, and deploy OSGi bundles via OBR. This session is based on the workshop we gave at EclipseCon 2008, where it was part of the OSGi DevCon, so it's an excellent opportunity for people that could not be present there to learn more about this subject.

Language:

Karl Pauls  Luminis Karl is the lead software engineer at luminis iQ products and is an early adopter of OSGi being involved with OSGi based applications for more then six years. He is a commiter and member of the PMC of Apache Felix. He received an MS (Dipl.-Inform.) in computer science from the Freie Universität Berlin.

Marcel Offermans  Luminis Marcel werkt al sinds de oprichting als software architect bij luminis. Hij heeft uitgebreide kennis van Java en C/C++ en vindt het leuk om met nieuwe software technologie te innoveren. Daarnaast is hij als committer bij Apache Felix, een OSGi implementatie, actief in open source.