Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / May 2007

Tip: Looking for answers? Try searching our database.

javax.scripting, Rhino, and creating sandboxes...

Thread view: 
Enable EMail AlertsStart New Thread
Daniel Pitts - 15 May 2007 07:56 GMT
I'd like to be able to control the interaction between my script and
the host Java environment.  Most specifically, if I don't explicitly
allow something, it shouldn't be available to the script context.

Is there an easy-and-sure way to do that? Do I need to go through the
trouble of setting up a SecurityManager?  Can I get away with a
"clever" Bindings implementation?  I'm mostly interested in Rhino,
which comes shipped with the JDK 1.6, but if there is a general
approach, that'd be great too.

Thanks,
Daniel.
Reply to this Message
Tom Hawtin - 15 May 2007 15:04 GMT
> I'd like to be able to control the interaction between my script and
> the host Java environment.  Most specifically, if I don't explicitly
[quoted text clipped - 5 lines]
> which comes shipped with the JDK 1.6, but if there is a general
> approach, that'd be great too.

I believe (use at your own risk) that for the Java SE 1.6 adaptation of
Rhino supplied in the Sun implementation (it's not a required part, and
may be implemented differently), you can get away with calling the
scripting API with lowered permissions. You will, of course, need a
SecurityManager. Remember JavaScript is still code. Running untrusted
code safely is difficult.

Where ever you use the API, surround the code with the usual two
argument java.security.AccessController.doPrivileged. Supply an acc with
the required (lack of) permissions (not null!). The Sun Rhino JavaScript
implementation will capture and then reapply those permission for
callback interfaces.

You will need to keep scripts away from code that is not secure. That
means, for instance, using a completely separate class loader (and set
something as thread context class loader). If you use AWT, you will need
to set up a separate AppContext (which you can't do portably).

Actually, it's a bit of a nightmare. I wouldn't bother. ;)

Rhino itself is a different kettle of fish, and not for the better. I
think you should be able to get away with applying the permissions to
the Rhino classes. Not entirely sure it will run like that - certainly
the optimiser wont work.

Tom Hawtin

[Cross-posted and followup-to: comp.lang.java.security]
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.