tags:

views:

259

answers:

2
+3  Q: 

Sandboxing JSR-223

I'm trying to sandbox JSR-223. Specifically, I don't want any script to have access to any of my classes. (I hear Rhino can do that with ClassShutter, but I want to do it generally. ie. for all script engines of JSR-223).

I first tried to use the AccessController.doPrivileged solution, by passing no permissions at all. It works for most permissions, but the scripts can still access all my public classes (it seems to ignore "package access" permission ...?).

I found this. My question is : how do I install a custom ClassLoader on the script engine ? (Or How do I replace the ClassLoader globally if I have to ?)

A: 

Is it possible to run the part of your application that requires the scripting engine in a separate JVM? You could start the scripting engine JVM with a different classpath (and security manager) and then use some form of lightweight message passing between the 2 JVMs.

Kevin  2009-09-09 13:45:04
Thank you for this idea. Well, yes I could do it. But in my case, it's not an option. I actually pass a huge DOM document to the script (the only objects I allow access to). And I don't want to double that in memory.
David  2009-09-10 13:36:44
With the PassThroughProxyHandler it's not very difficult to implement communication between ClassLoaders and you don't have to copy the entire DOM over either. http://surguy.net/articles/communication-across-classloaders.xml
sjbotha  2010-10-21 13:29:08
+1  A: 

There is a constructor for ScriptEngineManager that takes a classloader. The classloader is used to load the scripting engine implementation. As classes inherit their classloaders, the scripting engine and any objects it creates should also use that classloader.

That classloader needs to deny the existence of any classes that are not white-listed.

Top it off with a custom SecurityManager so you can base access checks on which classloader in use.

Edit: Here's an article I found on Sandboxing Rhino in Java. Most of it should also apply to JSR-223. Sun's implementation is Rhino with modifications, so there may be some differences.

Devon_C_Miller  2009-09-10 22:28:22
Thanks. I tried that. But for some reason, the only classes that my ClassLoader is asked for are com.sun.script.javascript.RhinoScriptEngineFactory and other engines factories.
David  2009-09-11 10:08:20
When I played with a custom ClassLoader last I had trouble getting it to use my ClassLoader all the time as well. I believe I had to use Thread.currentThread().setContextClassLoader(cl) in addition to passing the ClassLoader in Class.forName().
sjbotha  2010-10-21 13:33:17

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java