When embedding a JavaScript interpreter (Rhino) into a Java application (to be able to script that application), how would one go about restricting the Java packages that are available to scripts? For example, only "java.lang.*" should be accessible.
Rhino: restrict Java packages that can be accessed from JavaScript
A method for blocking access to certain packages and classes (including through reflection) in Rhino is described here. The important interface is ClassShutter which provides access control for Rhino's LiveConnect support.
Ironically, the link to codeutopia.net about blocking access is returning 403 Forbidden for me –
Satterwhite
how about just saying:
java = undefined; com = undefined; Packages = undefined;
in an initial script which is loaded first.
Interesting approach, probably works if you want to turn off all access to Java (not just specific packages). On the other hand, you could probably still do
obj.getClass().forName("a.b.c.TheClass").newInstance() for any object that you have in the interpreter scope. –
Byrne @Byrne no if your objects are javascript objects (which is what you should do ) –
Terror
That is a bad idea as JavaScript methods appear to call
java.io functions which will then fail if they can't find the java class. Try evaluating print("Hello World"); after undefining java and see where it gets you - TypeError: Cannot read property "io" from undefined. –
Printable © 2022 - 2024 — McMap. All rights reserved.