You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@commons.apache.org by Woonsan Ko <wo...@apache.org> on 2018/01/25 16:54:51 UTC

Re: [JEXL] white list classes, not by interfaces?

I've created a ticket for this:
- https://issues.apache.org/jira/browse/JEXL-253

Cheers,

Woonsan


On Thu, Oct 19, 2017 at 10:09 AM, Woonsan Ko <wo...@apache.org> wrote:
> Hi,
>
> I'm experimenting it with JexlSandbox (for blackbox mode) of v3.1 like
> the following example:
>
>     JexlSandbox sandbox = new JexlSandbox(false);
>     sandbox.white(IFoo.class.getName());
>     // ...
>     JexlEngine engine = new JexlBuilder().sandbox(sandbox).create();
>
> But if I put an instance of FooImpl (implementing IFoo interface) for
> instance, the JEXL interpreter doesn't seem to be able to resolve
> IFoo's methods. If I add FooImpl.class.getName() to the white list,
> then it starts resolving the method call without a problem.
> So, I assume the sandbox permission handling might be checking the
> implementation class name only. Is it true? If so, wouldn't it be nice
> if it can check its interfaces as well?
> When providing an interpreting env using JEXL, I think it's very
> common to separate the interfaces from various implementations.
>
> Regards,
>
> Woonsan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org