You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@commons.apache.org by Woonsan Ko <wo...@apache.org> on 2017/10/19 14:09:00 UTC

[JEXL] white list classes, not by interfaces?

Hi,

I'm experimenting it with JexlSandbox (for blackbox mode) of v3.1 like
the following example:

    JexlSandbox sandbox = new JexlSandbox(false);
    sandbox.white(IFoo.class.getName());
    // ...
    JexlEngine engine = new JexlBuilder().sandbox(sandbox).create();

But if I put an instance of FooImpl (implementing IFoo interface) for
instance, the JEXL interpreter doesn't seem to be able to resolve
IFoo's methods. If I add FooImpl.class.getName() to the white list,
then it starts resolving the method call without a problem.
So, I assume the sandbox permission handling might be checking the
implementation class name only. Is it true? If so, wouldn't it be nice
if it can check its interfaces as well?
When providing an interpreting env using JEXL, I think it's very
common to separate the interfaces from various implementations.

Regards,

Woonsan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org

Re: [JEXL] white list classes, not by interfaces?

Posted by Woonsan Ko <wo...@apache.org>.

I've created a ticket for this:
- https://issues.apache.org/jira/browse/JEXL-253

Cheers,

Woonsan


On Thu, Oct 19, 2017 at 10:09 AM, Woonsan Ko <wo...@apache.org> wrote:
> Hi,
>
> I'm experimenting it with JexlSandbox (for blackbox mode) of v3.1 like
> the following example:
>
>     JexlSandbox sandbox = new JexlSandbox(false);
>     sandbox.white(IFoo.class.getName());
>     // ...
>     JexlEngine engine = new JexlBuilder().sandbox(sandbox).create();
>
> But if I put an instance of FooImpl (implementing IFoo interface) for
> instance, the JEXL interpreter doesn't seem to be able to resolve
> IFoo's methods. If I add FooImpl.class.getName() to the white list,
> then it starts resolving the method call without a problem.
> So, I assume the sandbox permission handling might be checking the
> implementation class name only. Is it true? If so, wouldn't it be nice
> if it can check its interfaces as well?
> When providing an interpreting env using JEXL, I think it's very
> common to separate the interfaces from various implementations.
>
> Regards,
>
> Woonsan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org