commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryl Stultz" <>
Subject Jelly: and security
Date Fri, 12 Sep 2003 20:54:18 GMT
Hi folks,

Suppose I build a SOAP service that runs Jelly scripts (i.e. the client
calls the service/method and passes in the Jelly script to be executed). I
want the client to be able to use core Jelly tags but I don't want them to
do things like:

<j:new className="my.choice.of.destructive.Classes" action="deleteStuff" />

How can I control the environment / class access?

I tried this:

context.setClassLoader(new MyLoader());

with the loader class like so to filter out classes I want to allow:

public class MyLoader extends ClassLoader {
	public Class loadClass(String name) throws ClassNotFoundException {
		System.out.println("loading class = " + name);
		if (name.startsWith("org.apache.commons.jelly.tags.")) return
		else throw new ClassNotFoundException("Class not authorized");

but the only classes this loader loads are:


Any ideas?


Daryl Stultz
6 Degrees Software and Consulting, Inc.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message