Probably the app server places additional restrictions on code in
applications. It might be possible that you'd need to grant some
additional privileges to js.jar when it's in app directory (and then
we might need to augment Rhino to use doPrivileged() in few places
after you identify those places).
I suggest you run your JVM with -Djava.security.debug="access,failure"
and see exactly what code fails obtaining which permissions, and come
back to us with the findings.
Attila.
On 2009.02.17., at 23:31, Gary Brown wrote:
I have some code similar to the following that is used to call js code
from java.
ContextFactory contextFactory = new ContextFactory();
Context context = contextFactory.enterContext();
context.setSecurityController( new PolicySecurityController() );
Scriptable scope = context.initStandardObjects( new
ImporterTopLevel( context ) );
URL url = new URL( "http://acme.com/scripting/test.js"; );
CodeSource codeSource = new CodeSource( url, ( CodeSigner[] )
null );
context.evaluateString( scope, script, "test.js", 0, codeSource );
Context.exit();
The code works and can be secured using java policy when executed from
a simple stand-alone application. The code also works correctly when
executed from a web application running on Weblogic 10.0, but only if
js.jar from Rhino 1.7R1 is in the classpath. The file js.jar must be
placed ahead of the Weblogic jars in the classpath because one of the
classes conflicts with a class found in the Weblogic jars.
The following is an example of the java policy file:
// Give java code full access.
grant codeBase "file:/-" {
permission java.security.AllPermission;
};
grant codeBase "file:C:/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:/-" {
permission java.security.AllPermission;
};
// Give javascript code no access.
grant codeBase "http://acme.com/scripting"; {
};
If I remove js.jar from the classpath and instead put js.jar in the
APP-INF/lib directory (I also have to put a weblogic-application.xml
file in the META-INF directory to fix the class load conflict), I get
security exceptions. The security exceptions go away if I grant full
permissions to all code.
-----
I get similar results when I deploy my code to Tomcat 6. If js.jar is
placed in $CATALINA_HOME/lib/ (and not in /WEB-INF/lib/), all is well.
If js.jar is placed in /WEB-INF/lib/, I get 'ReferenceError: "java" is
not defined.' unless I grant full permissions to all code.
-----
Is there any way to get this code to execute correctly without putting
js.jar in the common classpath? Any idea why the code works with
reduced permissions with js.jar in the common classpath, and with full
permissions with js.jar in the application classpath, but not with
reduced permissions with js.jar in the application classpath?
_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
