If you are allowing customers to define their own rules then you are 
effectively allowing them to execute any arbitrary java statements.
You either need to have someone review and check all their rules before they 
are applied, restrict what they can do to the UI to such a level you are sure 
they can't compromise it (perhaps DSL might work?), sanatize there input to a 
whitelist of statements (probably no eval and very limited in what they can put 
in the then part, or you could go the whole hog and setup a java security 
sandbox and classloaders to place limits on what operations they can do - 
though even then you need to design it carefully so they can't modify any of 
your application state.

Thomas

> -----Original Message-----
> From: [email protected] [mailto:rules-users-
> [email protected]] On Behalf Of kapokfly
> Sent: 09 November 2011 17:10
> To: [email protected]
> Subject: Re: [rules-users] Security test cases for Drools
>
> Thanks Edson.
>
> We are developing a web based UI (if possible embed guvnor into our
> application) and open the ability to customers to define their own rules, so a
> company policy on this won't work.
>
> Will evaluate other concern points and have more discussions on this.
>
> Ivan
>
> --
> View this message in context: http://drools.46999.n3.nabble.com/Security-
> test-cases-for-Drools-tp3494072p3494170.html
> Sent from the Drools: User forum mailing list archive at Nabble.com.
> _______________________________________________
> rules-users mailing list
> [email protected]
> https://lists.jboss.org/mailman/listinfo/rules-users


**************************************************************************************
This message is confidential and intended only for the addressee. If you have 
received this message in error, please immediately notify the 
[email protected] and delete it from your system as well as any copies. The 
content of e-mails as well as traffic data may be monitored by NDS for 
employment and security purposes. To protect the environment please do not 
print this e-mail unless necessary.

NDS Limited. Registered Office: One London Road, Staines, Middlesex, TW18 4EX, 
United Kingdom. A company registered in England and Wales. Registered no. 
3080780. VAT no. GB 603 8808 40-00
**************************************************************************************

_______________________________________________
rules-users mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/rules-users

Reply via email to