From: SourceForge.net <no...@so...> - 2005-12-28 07:20:00
|
Bugs item #1391767, was opened at 2005-12-27 23:20 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112867&aid=1391767&group_id=12867 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: None Status: Open Resolution: None Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Class level access control (security) Initial Comment: There is way to implement security with Jython by using Java SecurityManager but it does not provide a means by which class level access control can be applied. Jython should provide some means by which the user of Jython can specify which Java classes should be available to scripts. Preferably, it should provide an Interface that the interested users can implement. Jython should call a method (from this interface) like, visibleToScripts(fully qualified class/package name). If it returns true then the class should be visible to the scripts. If it returns false then the class should not be accessible to the script. Some form of caching can be implemented here to reduce multiple calls to visibleToScripts() for the same class. I am not sure how complex this feature is to implement. On Jython mailing lists I have seen people saying that security wasn't in consideration while Jython development. But I fell these kind of arguments should now be left behind. With the help of this proposed extension and with Java SecurityManager a good security model can be put in place while using Jython and would allow developers to use Jython even where security is a concern. ~ Neeraj ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112867&aid=1391767&group_id=12867 |
From: SourceForge.net <no...@so...> - 2006-05-12 19:56:06
|
Bugs item #1391767, was opened at 2005-12-28 07:20 Message generated for change (Settings changed) made by fwierzbicki You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112867&aid=1391767&group_id=12867 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core >Group: Deferred Status: Open Resolution: None >Priority: 4 Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Class level access control (security) Initial Comment: There is way to implement security with Jython by using Java SecurityManager but it does not provide a means by which class level access control can be applied. Jython should provide some means by which the user of Jython can specify which Java classes should be available to scripts. Preferably, it should provide an Interface that the interested users can implement. Jython should call a method (from this interface) like, visibleToScripts(fully qualified class/package name). If it returns true then the class should be visible to the scripts. If it returns false then the class should not be accessible to the script. Some form of caching can be implemented here to reduce multiple calls to visibleToScripts() for the same class. I am not sure how complex this feature is to implement. On Jython mailing lists I have seen people saying that security wasn't in consideration while Jython development. But I fell these kind of arguments should now be left behind. With the help of this proposed extension and with Java SecurityManager a good security model can be put in place while using Jython and would allow developers to use Jython even where security is a concern. ~ Neeraj ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112867&aid=1391767&group_id=12867 |