OSGi: Conditional Permission Admin OR User Admin

Question

Are Conditional Permission Admin and User Admin services in OSGi complementary or exclusive? I am developing a home automation project based on OSGi and I am not sure if I should implement both security services or not.

The application will eventually be accessible through the internet but there would not be a group of user with accounts. From my understanding 'User Admin' service is more ideal for a website or an application that will have dedicated users that need to be authenticated. In my case, the application might communicate with another application residing in different location so it might also need some form of authentication. But wouldn't the security gain by implementing 'Conditional Permission Admin' user be enough?

My plan is to use the 'Conditional Permission Admin' and create custom conditions to control special actions such us sharing resources with other bundles. Is it enough or shall I implement both. Also will having both services running affect the performance of the system significantly?

I would really appreciate if someone share their view on this. Thanks!

Answer 1

ConditionalPermissionAdmin is about setting code based permissions checked by the SecurityManager. UserAdmin is about holding user credentials and assigning roles to users which can be examined by code using the UserAdmin API. UserAdmin has nothing to do with the SecurityManager. So CPA and UA are pretty orthogonal.

Having a SecurityManager installed is a performance hit. UserAdmin has no similar performance issue since it is only checked when called explicitly.