From commons-user-return-13815-apmail-jakarta-commons-user-archive=jakarta.apache.org@jakarta.apache.org Thu Oct 06 12:52:50 2005
Return-Path: <commons-user-return-13815-apmail-jakarta-commons-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-commons-user-archive@www.apache.org
Received: (qmail 38348 invoked from network); 6 Oct 2005 12:52:50 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 6 Oct 2005 12:52:50 -0000
Received: (qmail 79606 invoked by uid 500); 6 Oct 2005 12:52:43 -0000
Delivered-To: apmail-jakarta-commons-user-archive@jakarta.apache.org
Received: (qmail 79560 invoked by uid 500); 6 Oct 2005 12:52:43 -0000
Mailing-List: contact commons-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:commons-user-unsubscribe@jakarta.apache.org>
List-Help: <mailto:commons-user-help@jakarta.apache.org>
List-Post: <mailto:commons-user@jakarta.apache.org>
List-Id: "Jakarta Commons Users List" <commons-user.jakarta.apache.org>
Reply-To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
Delivered-To: mailing list commons-user@jakarta.apache.org
Received: (qmail 86853 invoked by uid 99); 6 Oct 2005 11:52:49 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: neutral (asf.osuosl.org: local policy)
Mime-Version: 1.0 (Apple Message framework v623)
Content-Transfer-Encoding: 7bit
Message-Id: <df6954bd9bd7e87aef2b6f779ce39681@activemath.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed
To: Jakarta Commons Users List <commons-user@jakarta.apache.org>
From: Paul Libbrecht <paul.libbrecht@activemath.org>
Subject: [jelly] sandboxed jelly anyone ?
Date: Thu, 6 Oct 2005 13:52:17 +0200
X-Mailer: Apple Mail (2.623)
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N


Hello,

Jelly would play a lovely role in our database infrastructure... 
namely... that of being able to run a set of queries and become, thus, 
a query language that would produce XML documents as results of several 
(possibly many) queries.
Such queries and their results would then be well transmittable 
remotely except that... jelly would be a powerful security hole if it 
could as much as traditional jelly can do.

Did anyone experience with sandboxing the classes that run jelly?
Is it as simple passing the rightly-configured classloader to the 
JellyContext class and let jelly classes only be loaded from this 
classloader ?? Will there be security checks then done on any methods 
called from such a class then ?

thanks for ideas

paul


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org