Hi Sarel, On point 4/, I've created JEXL-115 and just committed some code/tests in the trunk. I hope this will allow you to avoid having to derive JexlArithmetic or Interpreter.
On point 3/, I agree that full access to the system can only be controlled by a security policy. In "closed" environments where what is accessible is specific to the application itself, it is easy to control access through functions/methods (probably the only way too). On point 1/, a "white" list of classes - with an optional set of methods/properties and a flag to consider whether these are "white" or "black" would do the trick. In all cases, Object.class and Object.getClass would be "black" by default; the constructor(s) would be referred to as as the Simple class name in white/black lists. I'd probably add an option to consider that classes not in the white list do not have any restrictions (String, Integer, etc would be painful to declare). Does this seem a good compromise ? Cheers Henrib -- View this message in context: http://apache-commons.680414.n4.nabble.com/jexl-JEXL-Secure-Sandbox-tp3626959p3666165.html Sent from the Commons - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
