On Thu, Mar 27, 2008 at 12:39 AM, Tegan Clark <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I'm using JRuby to allow users to script my Java framework and extend it
> through Ruby script at plug points.
>
> What I want to do is only allow the Ruby script access to the Java objects I
> pass into the JSR 223 context, i.e. I want to prohibit a user accessing the
> file system, network etc. through the available Java classes.
>
> Is there anyway to stop this example evaled Ruby from working (calling via
> JSR 223):
>
> ScriptEngineManager scriptEngineMgr = new ScriptEngineManager();
> ScriptEngine engine = scriptEngineMgr.getEngineByName("jruby");
> engine.eval("r = java.util.Random.new \n puts r.nextInt");
>
> i.e. stopping Ruby code creating or statically calling Java objects.
There are two things that I can think of, but both will require quite
a bit of work.
1. Rebuild JRuby such that it prevents loading javasupport (search for
"java.rb" in Ruby.java). Not sure if this will fully work.
2. Revitalize Ola's javasand project [1], which is a way of creating a
sandboxed environment where you can remove classes, modules, and
methods, or explicitly only include what you want.
Cheers,
/Nick
[1] http://jruby-extras.rubyforge.org/svn/trunk/javasand/
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
