commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From henrib <hen...@apache.org>
Subject Re: [jexl] JEXL Secure Sandbox
Date Wed, 13 Jul 2011 21:34:07 GMT
Hi Sarel,
On point 4/, I've created JEXL-115 and just committed some code/tests in the
trunk. I hope this will allow you to avoid having to derive JexlArithmetic
or Interpreter.

On point 3/, I agree that full access to the system can only be controlled
by a security policy. In "closed" environments where what is accessible is
specific to the application itself, it is easy to control access through
functions/methods (probably the only way too).

On point 1/, a "white" list of classes - with an optional set of
methods/properties and a flag to consider whether these are "white" or
"black" would do the trick. In all cases, Object.class and Object.getClass
would be "black" by default; the constructor(s) would be referred to as as
the Simple class name in white/black lists.
I'd probably add an option to consider that classes not in the white list do
not have any restrictions (String, Integer, etc would be painful to
declare).
Does this seem a good compromise ?

Cheers
Henrib

--
View this message in context: http://apache-commons.680414.n4.nabble.com/jexl-JEXL-Secure-Sandbox-tp3626959p3666165.html
Sent from the Commons - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message