commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryl Stultz" <da...@6degrees.com>
Subject Jelly: and security
Date Fri, 12 Sep 2003 20:54:18 GMT
Hi folks,

Suppose I build a SOAP service that runs Jelly scripts (i.e. the client
calls the service/method and passes in the Jelly script to be executed). I
want the client to be able to use core Jelly tags but I don't want them to
do things like:

<j:new className="my.choice.of.destructive.Classes" action="deleteStuff" />

How can I control the environment / class access?

I tried this:

context.setClassLoader(new MyLoader());

with the loader class like so to filter out classes I want to allow:

public class MyLoader extends ClassLoader {
	public Class loadClass(String name) throws ClassNotFoundException {
		System.out.println("loading class = " + name);
		if (name.startsWith("org.apache.commons.jelly.tags.")) return
super.loadClass(name);
		else throw new ClassNotFoundException("Class not authorized");
	}
}

but the only classes this loader loads are:

org.apache.commons.jelly.tags.define.DefineTagLibrary
org.apache.commons.jelly.tags.core.CoreTagLibrary

Any ideas?

Thanks.

Daryl Stultz
_____________________________________
6 Degrees Software and Consulting, Inc.
http://www.6degrees.com
mailto:daryl@6degrees.com


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message