I created PolicySecurityController exactly to provide this
functionality.
You need to
a) create an instance of PolicySecurityController and put it into
effect. You can use either Context.setSecurityController, or
SecurityController.initGlobal to put it into effect.
b) make sure every time you call a Context.compile* method, you pass a
java.security.CodeSource as the "securityDomain" parameter of the
method. You'll need to construct your CodeSource objects to reflect
the location the scripts are loaded from. (If you want, you can of
course also use digitally signed scripts and include certificates in
the code source as well.)
It is your code that invokes Context.compile* methods that is trusted
with creating veritable CodeSource objects, that is, specifying the
real source URL and verifying any digital signatures the source might
have attached to it.
From there on, the configured Java security policy (the one specified
at command line with -Djava.security.manager -
Djava.security.policy=someURL) will also apply to scripts, based on
the URL their source was loaded from (more precisely, where your Java
code claims they were loaded from) and/or identity of their signers.
I guess I should really write this up on the Wiki finally...
Attila.
On Oct 12, 2008, at 7:35 PM, Cormac Redmond wrote:
Hi,
Can someone tell me of the standard way to issue Rhino with a security
policy (or whatever) to prevent script from accessing Java packages
like java.io, etc? There doesn't seem to be any documentation on this,
although discussions have taken place in the past, but things have
been re-factored since then.
Having discovered that ClassShutter is insecure it is no longer an
option.
We use Rhino 1.6R7.
:)
Regards,
Cormac
_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
