Securing OSGi applications

Securing OSGi applications is very similar to securing enterprise applications. For most security frameworks, no additional steps are required. For Java™ 2 security, there is some optional extra configuration that is specific to OSGi Applications.

• Use application security with OSGi applications.

  Application security controls which users may access which parts of the application.

  • Modify the security role to user or group mapping.

    You can modify this mapping when you add the asset to the business-level application as a composition unit. For more information, see Adding an EBA asset to a composition unit by using the administrative console, Adding an EBA asset to a composition unit by using wsadmin commands, and Security role to user or group mapping [Settings].

  • Use application security with web application bundles (WABs).

    You secure WABs in the same way that you secure web applications in Java EE. Application security enforces any security constraints that are defined in the web.xml file for a WAB. When a web client tries to access a protected resource, the client is prompted for authentication.

  • Configure bean security in the Blueprint XML file.

    You can configure bean security in the Blueprint XML file of your OSGi applications, so that the methods of the bean can be accessed only by users that are assigned a specified role. You can configure bean-level security, so that a single role is associated with all the methods of the bean, or you can configure method-level security, where different roles are associated with specific methods.

  • Use application security with EJB bundles.

    You secure enterprise beans in EJB bundles in the same way that you secure enterprise beans in Java EE. Application security enforces any bean method security settings that are defined in the ejb-jar.xml file for an EJB bundle.

• Use Java 2 security with OSGi applications.

  Java 2 security controls access to protected system resources from the application.

  • Learn about using Java 2 security with OSGi applications.
    Using Java 2 security in OSGi applications is very similar to using Java 2 security in enterprise applications. For an overview of the main differences when you use Java 2 security in an OSGi application, see Java 2 security and OSGi Applications. This topic describes the following differences:

    • The format and locations of the permissions.perm files in an OSGi application.
    • The relationship between application-level permissions.perm files in OSGi applications and was.policy files in enterprise applications.
    • The default permissions that apply to every OSGi application, in addition to any that are provided through a permissions.perm file.
  • Configure Java 2 security for your OSGi application.
    1. Create permissions.perm files. For more information, see Java 2 security and OSGi Applications.
    2. Check the security permissions. The security permissions are displayed when you import the OSGi application as an asset. For more information, see Deploying an OSGi application as a business-level application.
  • Migrate Java 2 security settings as part of migrating an enterprise application to an OSGi application.

    When you convert an application from Java EE to OSGi, any existing was.policy file is converted into a permissions.perm file to be used with the OSGi permissions framework, and all permissions are promoted to the application level. If you need finer granularity, you can modify the file after conversion. For more information, see Java 2 security and OSGi Applications, and Converting an enterprise application to an OSGi application.