0

I'm running Apache Felix as a bundle loader inside an Android app. Since the Jaca SecurityManager isn't accessible there, I'm looking for a solution to prevent the bundles from accessing certain packages, like java.io.*. The idea of just writing a custom classloader that will return null or throw an exception when such a class is requested seems the best, however, I can't find how to set a global classloader for all bundles managed by Felix.

Adrixan
  • 13
  • 2

1 Answers1

0

Try setting this property:

org.osgi.framework.system.packages - Specifies a comma-delimited list of packages that should be exported via the System Bundle from the framework class loader. The framework will set this to a reasonable default. If the value is specified, it replaces any default value.

By default, all java.* classes are visible to any bundle. If you override this, you can change that behaviour. Bundles trying to import the packages you did not include (such as java.io) will not be resolved during installation and hence will not be able to start.

See this for more information: http://felix.apache.org/site/apache-felix-framework-configuration-properties.html

Renato
  • 12,940
  • 3
  • 54
  • 85
  • This can only work if the bundle declares an import on the java.* packages which bundles should not do. The OSGi specification grants all bundle access to all java.* packages without the need to import them. But if bundles volunteer to import all the java.* packages they use, then this "trick" can prevent them from resolving. – BJ Hargrave Mar 16 '13 at 11:20
  • @BJ Hargrave : This is what was asked, a way to stop bundles from using certain java.* packages.... This is certainly not following the OSGi specifications, but if you need to do it in your own application for whatever reason, I see no harm in doing it. – Renato Mar 16 '13 at 11:51
  • If the bundle does not declare an import on the java* packages, I believe you will just get a ClassDefNotFound at run-time when you actually try to use a class which is not allowed, so this 'trick' should still work in the sense that it prevents use of certain classes in java.* – Renato Mar 16 '13 at 11:53
  • Normally bundles must not import java.* packages. Bundles have full access to java.* package regardless of whether the bundle imports them. All you are doing is have bundles voluntarily agree to fail resolving if they use some java.* package you are unwilling to provide to them. – BJ Hargrave Mar 18 '13 at 10:59
  • Upon further investigation it does seem true, that this idea won't help in my case. The idea is that I don't have full power over all packages that shall run, so I can't rely on them voluntarily declaring the requirement. I do need a way, that really removes the whole class-tree from the loader or blocks it some other way – Adrixan Mar 22 '13 at 13:58