groovy-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul King (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (GROOVY-3032) GroovyScriptEngine needs SecurityPermissions
Date Thu, 02 Jun 2016 04:42:59 GMT

    [ https://issues.apache.org/jira/browse/GROOVY-3032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14466473#comment-14466473
] 

Paul King edited comment on GROOVY-3032 at 6/2/16 4:42 AM:
-----------------------------------------------------------

ok i've managed to do it:

{code}
Subject.doAsPrivileged(subject, new PrivilegedAction<Object>() {
    public Object run() {
        try {
            Class<?> clz = engine.loadScriptByName(argHolder.command);
            MudPermission permission = new MudPermission(clz.getName());
            AccessController.checkPermission(permission);
            return doCommand(argHolder.command, argHolder.args, player);
        } catch (ResourceException e) {
            logger.error(e, e);
        } catch (ScriptException e) {
            logger.error(e, e);
        }
        return null;
    }
}, null);
...
{code}

where doCommand actually calls gSE.run(..);

... I still thing the GSE should do this check for you by providing some sort of AccessScriptPermission
object, and the checkPermssion called in the GSE.


was (Author: matt.corby):
ok i've managed to do it:

{code}
Subject.doAsPrivileged(subject, new PrivilegedAction<Object>() {

                    public Object run() {
                        try {
                            Class<?> clz = engine.loadScriptByName(argHolder.command);

                            MudPermission permission = new MudPermission(clz.getName());
                            AccessController.checkPermission(permission);
                            return doCommand(argHolder.command, argHolder.args, player);
                        } catch (ResourceException e) {
                            logger.error(e, e);
                        } catch (ScriptException e) {
                            logger.error(e, e);
                        }
                        return null;
                    }
                }, null);
...
{code}

where doCommand actually calls gSE.run(..);

... I still thing the GSE should do this check for you by providing some sort of AccessScriptPermission
object, and the checkPermssion called in the GSE.

> GroovyScriptEngine needs SecurityPermissions
> --------------------------------------------
>
>                 Key: GROOVY-3032
>                 URL: https://issues.apache.org/jira/browse/GROOVY-3032
>             Project: Groovy
>          Issue Type: Improvement
>          Components: GroovyScriptEngine
>    Affects Versions: 1.5.6
>         Environment: Any
>            Reporter: Matthew Corby-Eaglen
>            Priority: Minor
>         Attachments: groovysecurity.diff
>
>
> The GroovyScriptEngine requires some means of preventing certain objects from running
certain scripts. This would be useful for multi-user environments who can log in and execute
scripts via the shell.
> An external wrapper would not work well because the GSE resolves scripts at run time,
and the URL of the scripts cannot be exposed before hand.
> I suppose a change at the Script object level might be more appropriate, but this would
be effective.
> Patch included.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message