Hi everybody, Perhaps you know that since the version 6 of java, the JDK provides now a scripting API (javax.script) which enables the execution of differents script language, including the JavaScript through RHINO. I work currently on the development of a web application, which allows, for users, to execute their own scripts. Of course we need to forbid the use of differents package for the security of our application. That's why we have think to use the security property "access.package" ,available in the java.security file present in the JRE, and which list all packages which are banned in my class. This behaviour operates perfectly in my class but works partially when the script is interpreted through the method eval() of the same scripting API : In fact, in the packages "blacklisted", only the packages from the JDK, causes an exception during the instanciation of the objects. There are no exceptions when we instantiate objects from our own packages "com.foo" but also "blacklisted" ;(
My question is the following : Does Rhino has its own classloader to import the packages java (through the method importPackage() ) ? And if yes, why this same classloader doesn't calls the security manager ? I hope it's enough clear to understand my situation... Thank you in advance ;) Technical details : My application server is "weblogic 10.0" _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
