From: James C. <ji...@mi...> - 2003-05-28 16:43:28
|
I'm also interested in trying to let users enter their own python (even if it's just math expressions) and would love to keep my server secure. My impression is that it's not possible at the moment. =20 -Jim >=20 > Hello, >=20 > I'm going to embed jython in our server application and i=20 > would like to give=20 > users the ability to write customer extensions without=20 > compromising the=20 > overal security. >=20 > I have the following questions: >=20 > a) how can i restrict the "java classpath" of jython script?=20 > I do not want the=20 > script to be able to import any class from main java=20 > application classpath. I=20 > would like to give him access only to selected subset of classes. >=20 > b) how can i prevent jython script from using static methods=20 > and fields from=20 > the main java application (if a) is not possible then i have=20 > to stop them=20 > with messing around with that). >=20 > Super-good would be if i could run the jython script in some=20 > kind of sandbox=20 > where i set the rules and script is prohibited from going=20 > "outside" of the=20 > box. >=20 > I would appreciate your help, > Krzysztof >=20 >=20 >=20 > ------------------------------------------------------- > This SF.net email is sponsored by: ObjectStore. > If flattening out C++ or Java code to make your application fit in a > relational database is painful, don't do it! Check out ObjectStore. > Now part of Progress Software. http://www.objectstore.net/sourceforge > _______________________________________________ > Jython-users mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users >=20 |
From: Jeff E. <JEm...@lg...> - 2003-05-28 17:37:55
|
It's probably most secure to run the interpreter in a separate JVM where you had set the security policy, but this makes communication between the interpreter JVM and your server more difficult. You also might try writing a SecurityManager that allows different permissions for code executed by the interpreter. > -----Original Message----- > From: James Carroll [mailto:ji...@mi...] > Sent: Wednesday, May 28, 2003 10:45 AM > To: Krzysztof Dabrowski; jyt...@li... > Subject: RE: [Jython-users] Restricted Jython embeding question. > > > > I'm also interested in trying to let users enter their own > python (even if it's just math expressions) and would love > to keep my server secure. My impression is that it's not > possible at the moment. > > -Jim > > > > > Hello, > > > > I'm going to embed jython in our server application and i > > would like to give > > users the ability to write customer extensions without > > compromising the > > overal security. > > > > I have the following questions: > > > > a) how can i restrict the "java classpath" of jython script? > > I do not want the > > script to be able to import any class from main java > > application classpath. I > > would like to give him access only to selected subset of classes. > > > > b) how can i prevent jython script from using static methods > > and fields from > > the main java application (if a) is not possible then i have > > to stop them > > with messing around with that). > > > > Super-good would be if i could run the jython script in some > > kind of sandbox > > where i set the rules and script is prohibited from going > > "outside" of the > > box. > > > > I would appreciate your help, > > Krzysztof > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: ObjectStore. > > If flattening out C++ or Java code to make your application fit in a > > relational database is painful, don't do it! Check out ObjectStore. > > Now part of Progress Software. http://www.objectstore.net/sourceforge > _______________________________________________ > Jython-users mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users > ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Jython-users mailing list Jyt...@li... https://lists.sourceforge.net/lists/listinfo/jython-users |
From: Cherney John-C. <Joh...@mo...> - 2003-05-28 18:12:40
|
Is there a way to do this using different classloaders? jwc -----Original Message----- From: Jeff Emanuel [mailto:JEm...@lg...] Sent: Wednesday, May 28, 2003 1:37 PM To: 'James Carroll'; Krzysztof Dabrowski; jyt...@li... Subject: RE: [Jython-users] Restricted Jython embeding question. It's probably most secure to run the interpreter in a separate JVM where you had set the security policy, but this makes communication between the interpreter JVM and your server more difficult. You also might try writing a SecurityManager that allows different permissions for code executed by the interpreter. > -----Original Message----- > From: James Carroll [mailto:ji...@mi...] > Sent: Wednesday, May 28, 2003 10:45 AM > To: Krzysztof Dabrowski; jyt...@li... > Subject: RE: [Jython-users] Restricted Jython embeding question. > > > > I'm also interested in trying to let users enter their own > python (even if it's just math expressions) and would love > to keep my server secure. My impression is that it's not > possible at the moment. > > -Jim > > > > > Hello, > > > > I'm going to embed jython in our server application and i > > would like to give > > users the ability to write customer extensions without > > compromising the > > overal security. > > > > I have the following questions: > > > > a) how can i restrict the "java classpath" of jython script? > > I do not want the > > script to be able to import any class from main java > > application classpath. I > > would like to give him access only to selected subset of classes. > > > > b) how can i prevent jython script from using static methods > > and fields from > > the main java application (if a) is not possible then i have > > to stop them > > with messing around with that). > > > > Super-good would be if i could run the jython script in some > > kind of sandbox > > where i set the rules and script is prohibited from going > > "outside" of the > > box. > > > > I would appreciate your help, > > Krzysztof > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: ObjectStore. > > If flattening out C++ or Java code to make your application fit in a > > relational database is painful, don't do it! Check out ObjectStore. > > Now part of Progress Software. http://www.objectstore.net/sourceforge > _______________________________________________ > Jython-users mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users > ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Jython-users mailing list Jyt...@li... https://lists.sourceforge.net/lists/listinfo/jython-users ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Jython-users mailing list Jyt...@li... https://lists.sourceforge.net/lists/listinfo/jython-users |