From: Liam C. <lsc...@gm...> - 2018-12-13 12:27:50
|
---------- Forwarded message --------- From: Liam Coughlin <lsc...@gm...> Date: Wed, Dec 12, 2018 at 11:57 PM Subject: Re: [Jython-users] embedding jython To: <jem...@fr...> It got me a good chunk of where I needed to go. I can effectively manage access to java Classes, and return bytecodefiddled classes that deny access to certain methods etc. so this got me 90% of the way there. Now I'm left with 2 issues relating to the fact that my scripts are stored in a persistence tier and I would much rather _not_ jump through hoops echoing things to the local filesystem. The first issue is that I would like to not be constantly recompiling my scripts when a JVM starts up. There seems to be a way for me to hook into the compilation chain capture the bytecode and restart the compilation chain from Py.makeClass() somewhere. It will be hacky, but it will be doable. The second issue is a little more head scratchy. I read through the jython book, cp. 8, Advanced Import Manipulation / Import Hooks. It seems you can manipulate the import system quite a bit, but there doesn't seem to be a default way add a custom resource resolver or whatever so that I can pull my scripts from memory to be imported rather then off the filesystem somewhere. I feel like I can probably attach this functionality into my custom class loader, but I also feel like I might be missing something here, so I thought I would ask. Cheers -L On Tue, Dec 11, 2018 at 5:50 PM <jem...@fr...> wrote: > What I have done to limit which Java classes Jython code can access is to > set the classloader that jython uses: > > PySystemState.initialize(properties,postProps, > new String[]{""}, getClassLoaderForJython()); > > > Maybe this can help you, but it's probably not as secure as you need. It > isn't as fine grained as a running with a custom SecurityManager. I don't > see in the Jython source any opportunity to run with a SecurityManager > other than the system-wide one. > > > > On Tue, 11 Dec 2018 13:28:57 +0100, Liam Coughlin <lsc...@gm...> > wrote: > > Hello folks, > > Maybe its just that my google skills are failing me, but Im having > > trouble finding guidance for my use case embedding jython. > > Essentially, I would like to use jython as an embedded scripting > language > > within my application. That said, my application has fairly strict > > security and privacy constraints ( think HIPAA and PCI ) and the scripts > > will be provided by end-users of a multi-tenant application. To that > > end I would like to be able to impose security constraints on what java > > classes jython scripts can import, and what methods of java classes > > jython scripts can call ( depending on caller context, or user idenity > > etc. ) > > In another world, I modified groovys runtime MetaClassHandle to inject > > security checks into every pass through the MOP. This allowed me to > > save compiled groovy code, and then just instantiate the compiled groovy > > code and execute it. > > It seems like I could do this with jythons PyAdapter class or something > > like that, or perhaps by overriding the classloader that is passed in to > > the systemstate when you instantiate an interpreter. Does this sound > > like im on the right course? > > > > Ideally, I would like to compile my python scripts load them as classes > > and have my security checks inserted/executed at runtime. I would like > > to be able pre-compile things, and save the bytecode rather then having > > to compile at system start time, or compile on demand, but beggars cant > > really be choosers here -- Im more interested in whats possible then > > whats ideal at this point. > > > > In any case I cant seem to find a definitive guide on how to control > > exposure of java elements to jython - everything seems to be geared > > towards exposing jython objects to java which is the reverse of my use > > case. > > Any advice, links or any help at all really would be greatly > appreciated. > > Thanks-L > > |