Thread: [Jython-users] restricting java classes access in jython

Brought to you by: bckfnn, bwarsaw, bzimmer, cgroves, and 4 others

jython-users

[Jython-users] restricting java classes access in jython

From: Tait L. <ta...@we...> - 2001-05-02 05:38:05

I'm experimenting with building a jython interpreter into our java
platform.  The our java platform implements the business logic of a web
application.

I'd like to restrict  the jython interpreter so that it can only
directly access specific classes currently available in the running
jvm.  I could then build a web front end to the PythonInterpreter class
and have a powerful and -- with a well written api -- a safe scripting
interface to our platform. 

How can I restrict the java classes which the PythonInterpreter class'
exec and eval methods recognize.

Thanks,

Tait

Re: [Jython-users] restricting java classes access in jython

From: Adam B. <sir...@ya...> - 2001-05-02 06:18:02

On a related note, is there any way to take advantage
of the java security system to make (untrusted) python
code run in an environment similar to that given to
applets? That is, no access to the disk drive, etc.
I'm sure I'm not the only one using jython as an
unrtusted extension language... having security
guarantees would be magnifique.

Adam

--- Tait Larson <ta...@we...> wrote:
> I'm experimenting with building a jython interpreter
> into our java
> platform.  The our java platform implements the
> business logic of a web
> application.
> 
> I'd like to restrict  the jython interpreter so that
> it can only
> directly access specific classes currently available
> in the running
> jvm.  I could then build a web front end to the
> PythonInterpreter class
> and have a powerful and -- with a well written api
> -- a safe scripting
> interface to our platform. 
> 
> How can I restrict the java classes which the
> PythonInterpreter class'
> exec and eval methods recognize.
> 
> Thanks,
> 
> Tait
> 
> _______________________________________________
> Jython-users mailing list
> Jyt...@li...
> http://lists.sourceforge.net/lists/listinfo/jython-users

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Re: [Jython-users] restricting java classes access in jython

From: Ben H. <Ben...@fi...> - 2001-05-03 08:41:48

This is totally what the Java 2 Security model aims to provide. When access
control is enabled, any prohibited operation will fail with a SecurityException.
A mini-howto (for Java 2):

You must have a security manager installed. The default one will do fine. use:
    -Djava.security.manager on the command line
    System.setSecurityManager(new SecurityManager()); from within code

The security policy is defined in java.policy in jre/lib/security. It consists
of grant clauses, each which has a codebase location, and the set of permissions
granted to code loaded from the place.

You need to add 2 new grant clauses. One for the python interpreter, ie
jython.jar, allowing the operations for scripts. And one for your normal trusted
code, ie your app, allowing full permissions, (I guess). The reason this second
one is now required is that a SecutiryManager is installed.

Details of policy filew sysntax and available permisisons is in the Java
Security Architecture doc, bundled with the 1.3 Java Docs

Good luck,
Ben


----- Original Message -----
From: "Adam Berger" <sir...@ya...>
To: <jyt...@li...>
Sent: Wednesday, May 02, 2001 7:18 AM
Subject: Re: [Jython-users] restricting java classes access in jython


> On a related note, is there any way to take advantage
> of the java security system to make (untrusted) python
> code run in an environment similar to that given to
> applets? That is, no access to the disk drive, etc.
> I'm sure I'm not the only one using jython as an
> unrtusted extension language... having security
> guarantees would be magnifique.
>
> Adam
>
> --- Tait Larson <ta...@we...> wrote:
> > I'm experimenting with building a jython interpreter
> > into our java
> > platform.  The our java platform implements the
> > business logic of a web
> > application.
> >
> > I'd like to restrict  the jython interpreter so that
> > it can only
> > directly access specific classes currently available
> > in the running
> > jvm.  I could then build a web front end to the
> > PythonInterpreter class
> > and have a powerful and -- with a well written api
> > -- a safe scripting
> > interface to our platform.
> >
> > How can I restrict the java classes which the
> > PythonInterpreter class'
> > exec and eval methods recognize.
> >
> > Thanks,
> >
> > Tait
> >
> > _______________________________________________
> > Jython-users mailing list
> > Jyt...@li...
> > http://lists.sourceforge.net/lists/listinfo/jython-users
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
>
> _______________________________________________
> Jython-users mailing list
> Jyt...@li...
> http://lists.sourceforge.net/lists/listinfo/jython-users
>