I'm putting a couple of pieces together here that weren't in one place. When introducing Rhino javascript engine into our code, we wanted to lock down its access. Java 6 hides the internal Rhino context well enough that I couldn't figure out how to get at it. So to restrict access to a given set of classes when running untrusted Javascript inside the JVM you need to start your own Rhino context up, then hook in the filter.
The useRhinoDirectly() method gives a Rhino context in which we can set up a class filter:
http://stackoverflow.com/questions/4639892/whats-the-difference-between-java-6s-built-in-version-of-rhino-and-the-rhino-pa
Building the class filter is easier standing on someone else's shoulders. This example blocks access to static methods:
http://riven8192.blogspot.com/2010/07/java-rhino-fine-grained-classshutter.html
(Not sure which Text class this was using, but String.split() seemed to do the job.)
A Java developer's place to write down things that were somewhat obscure or difficult to piece together, that were worth remembering and writing run-on sentences about.
No comments:
Post a Comment