You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Paul King (JIRA)" <ji...@apache.org> on 2016/06/02 04:40:59 UTC
[jira] [Comment Edited] (GROOVY-3032) GroovyScriptEngine needs
SecurityPermissions
[ https://issues.apache.org/jira/browse/GROOVY-3032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14466473#comment-14466473 ]
Paul King edited comment on GROOVY-3032 at 6/2/16 4:40 AM:
-----------------------------------------------------------
ok i've managed to do it:
{code}
Subject.doAsPrivileged(subject, new PrivilegedAction<Object>() {
public Object run() {
try {
Class<?> clz = engine.loadScriptByName(argHolder.command);
MudPermission permission = new MudPermission(clz.getName());
AccessController.checkPermission(permission);
return doCommand(argHolder.command, argHolder.args, player);
} catch (ResourceException e) {
logger.error(e, e);
} catch (ScriptException e) {
logger.error(e, e);
}
return null;
}
}, null);
...
{code}
where doCommand actually calls gSE.run(..);
... I still thing the GSE should do this check for you by providing some sort of AccessScriptPermission object, and the checkPermssion called in the GSE.
was (Author: matt.corby):
ok i've managed to do it:
[code]
Subject.doAsPrivileged(subject, new PrivilegedAction<Object>() {
public Object run() {
try {
Class<?> clz = engine.loadScriptByName(argHolder.command);
MudPermission permission = new MudPermission(clz.getName());
AccessController.checkPermission(permission);
return doCommand(argHolder.command, argHolder.args, player);
} catch (ResourceException e) {
logger.error(e, e);
} catch (ScriptException e) {
logger.error(e, e);
}
return null;
}
}, null);
...
[/code]
where doCommand actually calls gSE.run(..);
... I still thing the GSE should do this check for you by providing some sort of AccessScriptPermission object, and the checkPermssion called in the GSE.
> GroovyScriptEngine needs SecurityPermissions
> --------------------------------------------
>
> Key: GROOVY-3032
> URL: https://issues.apache.org/jira/browse/GROOVY-3032
> Project: Groovy
> Issue Type: Improvement
> Components: GroovyScriptEngine
> Affects Versions: 1.5.6
> Environment: Any
> Reporter: Matthew Corby-Eaglen
> Priority: Minor
> Attachments: groovysecurity.diff
>
>
> The GroovyScriptEngine requires some means of preventing certain objects from running certain scripts. This would be useful for multi-user environments who can log in and execute scripts via the shell.
> An external wrapper would not work well because the GSE resolves scripts at run time, and the URL of the scripts cannot be exposed before hand.
> I suppose a change at the Script object level might be more appropriate, but this would be effective.
> Patch included.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)