When embedding a JavaScript interpreter (Rhino) into a Java application (to be able to script that application), how would one go about restricting the Java packages that are available to scripts? For example, only "java.lang.*" should be accessible.
Asked
Active
Viewed 3,696 times
2 Answers
9
A method for blocking access to certain packages and classes (including through reflection) in Rhino is described here. The important interface is ClassShutter which provides access control for Rhino's LiveConnect support.
Dave Ray
- 39,616
- 7
- 83
- 82
-
1Ironically, the link to codeutopia.net about blocking access is returning 403 Forbidden for me – Nathan Voxland Apr 07 '09 at 05:37
1
how about just saying:
java = undefined; com = undefined; Packages = undefined;
in an initial script which is loaded first.
chacko
- 5,004
- 9
- 31
- 39
-
3Interesting approach, probably works if you want to turn off *all* access to Java (not just specific packages). On the other hand, you could probably still do `obj.getClass().forName("a.b.c.TheClass").newInstance()` for any object that you have in the interpreter scope. – Thilo Mar 16 '11 at 01:46
-
@Thilo no if your objects are javascript objects (which is what you should do ) – Zo72 Jul 16 '13 at 16:43
-
That is a bad idea as JavaScript methods appear to call `java.io` functions which will then fail if they can't find the `java` class. Try evaluating `print("Hello World");` after undefining `java` and see where it gets you - `TypeError: Cannot read property "io" from undefined`. – chrixm Sep 14 '15 at 05:27