Prohibit scripts from accessing specific Java classes using Java security Manager

1k views Asked by At

I'm already using Java 8 and it's Nashorn javascript engine. And In my application I access javaScript script files from Java classess for various purposes. And yet it's possible to access Java classes from javaScript codes as well. But since the JavaScripts in my applications can be written by a third party also, I want to restrict them(JS scripts) from accessing the Java modules. (Specifically prohibit some of the Java classes)

I do not want to restrict all the access to Java classes, just looking for a way to restrict or prohibit some specific java classes.

In Nashorn we can do this by using ClassFilters (overiding 'exposeToScripts()' method) as below.

class MyCF implements ClassFilter {
    @Override
    public boolean exposeToScripts(String s) {
      if (s.compareTo("myPackage.MyClass") == 0) return false;
      return true;
    }
}

But how can we use Java Security Manager to do the same thing, or is the way using a ClassFilter (mentioned above) enough to catch and restrict all unwanted Java class access.

1

There are 1 answers

4
A. Sundararajan On

ClassFilter is not a replacement for security manager! The ClassFilter JEP page -> http://openjdk.java.net/jeps/202 makes this clear in the non goals section:

/[This does not] Make security managers redundant for scripts. Embedding applications should still turn on security management before evaluating scripts from untrusted sources. Class filtering alone will not provide a complete script "sandbox."/

ClassFilter is finer control over and above the security manager. For example, you can avoid thread creation from scripts by preventing access to java.lang.Thread class [and it's subclasses by name].