堆栈内存溢出
  简体   繁体   English

java表达式语言,无法访问'不安全'的java方法

[英]java expression language that can't access 'unsafe' java methods

 原文  2009-06-27 02:03:33       java/ scripting

问题描述

I am working on a project where I will let users submit small 'scripts' to the server, and I will execute those scripts. 我正在开展一个项目,我将让用户向服务器提交小“脚本”,然后我将执行这些脚本。 There are many scripting languages which can be embedded into a Java program, such as mvel, ognl, uel, clojure, rhino javascript, etc., but, as far as I can tell, they all allow script writer to call Java constructors, static methods, etc. 有许多脚本语言可以嵌入到Java程序中,例如mvel,ognl,uel,clojure,rhino javascript等,但据我所知,它们都允许脚本编写者调用Java构造函数,静态方法等

I don't want my users to be able to call anything which I don't provide them (usually through some sort of context object). 我不希望我的用户能够调用任何我没有提供它们的东西(通常通过某种上下文对象)。 Most of their scripts will be arithmetic and logical expressions, in some cases they will need to traverse object properties (getters/setters) or contents of a Map. 他们的大多数脚本都是算术和逻辑表达式,在某些情况下,他们需要遍历对象属性(getter / setter)或Map的内容。 I just don't want them to escape the sandbox I provide them. 我只是不希望他们逃离我提供的沙箱。

Any suggestions? 有什么建议?

3 个解决方案

解决方案1
 2 已采纳  2009-06-27 02:51:17

我认为你可以通过使用安全 策略来实现这一目标

解决方案2
 2  2009-12-17 11:59:36

Just : 只是: 

  //Remember old one
  ClassLoader orginalClassLoader = Thread.currentThread().getContextClassLoader();
  //Set my classloader
  ClassLoader myClassLoader = new SecureMVELClassLoader();
  Thread.currentThread().setContextClassLoader(myClassLoader);

  System.out.println(MVEL.eval("new com.myapp.insecure.InsecureClass()"));
  //Set back to original classloader
  Thread.currentThread().setContextClassLoader(orginalClassLoader);

and in my classLoader 在我的classLoader中 

public class SecureMVELClassLoader extends ClassLoader {


 @Override
 public Class<?> loadClass(String name) throws ClassNotFoundException {
        //some filter logic here
  if (name.startsWith("com.myapp.insecure.")) throw new ClassNotFoundException();
  return super.loadClass(name);
 }

解决方案3
 1  2009-06-27 02:08:17

Constructing a functioning sandbox is difficult. 构建一个功能正常的沙箱很困难。 What you can do use a custom class loader that only allows lookups to a select few types from its parent. 你可以做的是使用一个自定义类加载器,它只允许从父类中选择几种类型。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 表达式语言无法访问getter方法 - Expression language can't access getter methods 无法访问Java泛型类的方法 - Can't access methods of a java generics class 无法从Java中的ArrayList访问对象的方法 - Can't access an object's methods from an ArrayList in Java 访问实例字段和方法的Java 8 lambda无法反序列化 - Java 8 lambdas that access instance fields and methods can't be deserialized 在Java中继承,无法访问子类函数/方法 - Inheritance in Java, can't access subclass functions/methods 可以将xtext用作Java中的一种表达语言吗? - Can xtext be used as an expression language within Java? 无法在Java中访问View对象(Android)的公共方法 - Can't Access Public Methods of View Object(Android) in Java 为什么我的程序不能访问Java中的数学方法? - Why can't my program access the math methods in Java? Java无法从类实例访问类方法 - Java can't access class methods from class instance Java表达式语言:插值? - Java Expression Language : Interpolation?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM