Building Secure OSGi Applications

Marcel Offermans (luminis), Karl Pauls (luminis)

OSGi DevCon · Tutorial

Monday, 13:30, 2 hours | Napa I-II-III | Download in iCal Format


Marcel Offermans

Karl Pauls

Modern applications and software solutions increasingly center around loosely coupled and extensible architectures. Component or Service orientation is applied in almost all areas of application development including distributed systems, ubiquitous computing, embedded systems, and client-side applications.

The Java based OSGi framework specification lends itself well as a platform for loosely coupled and extensible applications and is rapidly gaining ground as the de-facto plugin solution for Java based applications. It allows for lightweight implementations that limit themselves to the CDC profile and are ideally suited as embedded plugin frameworks.

One of the main drawbacks of dynamically extensible applications, however, are the potential security issues that arise due to executing untrusted code without appropriated safety-measures in place. Secure sandboxes and their restrictions are difficult to get right and often hard to deal with in the development of applications. The OSGi specifications have an extensive and very powerful security model that eases this difficult task.

This Tutorial focuses on embedding various OSGi framework implementations namely, Eclipse Equinox and Apache Felix, into applications as a means of plugin mechanism while taking advantage of the often overlooked benefits of this solution: security.

The goal is to build a fully functional client application that can be extended at runtime through components out of remote repositories that subsequently, run in a secure sandbox. The OSGi Bundle Repository (OBR) service will be used and explained to publish, discover, and deploy plugins together with the transitive closure over the dependencies.

The application will restrict access to system resources as well as to other components and their services based on various criteria ranging from the remote location of an individual component, over its associated digital certificates, to user interaction. This will allow to demonstrate how to allow or deny permissions based on certain conditions, how to embed a security enabled OSGi framework implementation, and how to publish, discover, and deploy OSGi bundles via OBR.

Participants will learn

Requirements for Participants are a basic understanding of the OSGi specifications and hands-on experience with bundles and services. In particular how to offer services to other bundles, and the use of service factories. Knowledge of the Java security model is a plus.

Exercises will focus on creating an extensible application and extensions that can run in a restricted sandbox. The specifics are not yet determined but we plan to have participants work in pairs on different aspects of the application and its extensions. Finally, the application shall be fully functional. We will run the application and extend it at runtime through the developed extensions, published previously, from a remote repository.

In order to take part in the hands-on work of the session please bring a laptop with a working VMWare Player installation and CD access. We will provide a VMware image containing the workshop environment and assignments. In case that a VMWare Player installation is not an option for you please make sure you have a working java 1.5 plus ant 1.7.0 plus eclipse classic set-up.

Marcel is a software architect at luminis with broad experience in different operating systems, languages and applications, ranging from data-oriented enterprise applications to embedded and distributed systems. At luminis iQ products, he is responsible for the architecture and development of an OSGi based software provisioning product. Furthermore a PMC member of the Apache Felix open source project and interested in all Java and OSGi related development.

Karl is the lead software engineer at luminis iQ products with an extensive background in security, federated authentication, and authorization solutions; and is an early adopter of OSGi being involved with OSGi based applications for more then six years. He is a commiter and member of the PMC of Apache Felix. He received an MS in computer science from the Freie Universität Berlin.

Floor Plan

Gold sponsors

BEA logo

IBM logo

Wind River logo

Replay Solutions logo

JBoss logo


Cloudsmith logo

BIRT Exchange logo

Skyway Software logo


BlackBerry logo

AMD logo

Silver sponsors








Business Objects

LynuxWorks logo

Hardware sponsor

AMD logo

Media sponsors

Extension Media

Methods and Tools


Addison-Wesley logo

SD Times logo

Open Systems Publishing

Software Test & Performance logo


Be a Sponsor