Does anyone know how a white-list class access approach similar to Google App Engine can be implemented?

views:

answers:

+3 Q:

Does anyone know how a white-list class access approach similar to Google App Engine can be implemented?

I am writing a container framework that can dynamically deploy a Jar file containing user developed classes in the container, and then using a web interface execute certain classes from the Jar file.

Everything else is well set, including the validations. However, a requirement is to only allow access to certain JDK and other library classes from the user developed class. Clearly, this is due to the fact that the container will need an assurance that someone (intentionally or otherwise) ends up running a piece of Java code that results in a "bad" behavior.

Generally, I find stuff on Google on almost all topics. In this case, I just could not :(

+2 A:

see http://stackoverflow.com/questions/991703/can-i-deny-access-to-a-jvm-class-by-configuring-java-policy-file

it suggests using a custom classloader

Stefan De Boey 2010-03-03 01:22:18

+2 A:

Note that a custom classloader is not enough against a malicious person - he/she can access a parent classloader and load the restricted classes through it. In addition to a custom classloader, you should set a security manager and revoke the getClassLoader permission (and, perhaps, some other permissions too).

axtavt 2010-03-03 02:41:59

Some pseudo-code maybe?

Chris Kaminski 2010-03-03 02:59:36

ansaurus

tags:

views:

answers:

Does anyone know how a white-list class access approach similar to Google App Engine can be implemented?

related questions