If you are allowing customers to define their own rules then you are effectively allowing them to execute any arbitrary java statements. You either need to have someone review and check all their rules before they are applied, restrict what they can do to the UI to such a level you are sure they can't compromise it (perhaps DSL might work?), sanatize there input to a whitelist of statements (probably no eval and very limited in what they can put in the then part, or you could go the whole hog and setup a java security sandbox and classloaders to place limits on what operations they can do - though even then you need to design it carefully so they can't modify any of your application state.
Thomas > -----Original Message----- > From: [email protected] [mailto:rules-users- > [email protected]] On Behalf Of kapokfly > Sent: 09 November 2011 17:10 > To: [email protected] > Subject: Re: [rules-users] Security test cases for Drools > > Thanks Edson. > > We are developing a web based UI (if possible embed guvnor into our > application) and open the ability to customers to define their own rules, so a > company policy on this won't work. > > Will evaluate other concern points and have more discussions on this. > > Ivan > > -- > View this message in context: http://drools.46999.n3.nabble.com/Security- > test-cases-for-Drools-tp3494072p3494170.html > Sent from the Drools: User forum mailing list archive at Nabble.com. > _______________________________________________ > rules-users mailing list > [email protected] > https://lists.jboss.org/mailman/listinfo/rules-users ************************************************************************************** This message is confidential and intended only for the addressee. If you have received this message in error, please immediately notify the [email protected] and delete it from your system as well as any copies. The content of e-mails as well as traffic data may be monitored by NDS for employment and security purposes. To protect the environment please do not print this e-mail unless necessary. NDS Limited. Registered Office: One London Road, Staines, Middlesex, TW18 4EX, United Kingdom. A company registered in England and Wales. Registered no. 3080780. VAT no. GB 603 8808 40-00 ************************************************************************************** _______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
