Re: [Jython-users] Fwd: embedding jython

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I haven't done this, but here's how I'd go about it.  Use JavaImporter or
zipimporter as models to implement your own path_hook that you would add to
sys.path_hooks.  Implement find_module and load_module, and most
importantly get_data.  The import mechanism prefers loading byte code to
source code, so you should be able to store your compiled code instead of
your source.  I don't think the details you need to do this are documented
anywhere, so you'll need to read some of the Jython source. 
org.python.core.imp, org.python.core.util.importer, 
org..python.core.JavaImporter, org.python.modules.zipimport.*.  Turn on
verbose import printout.

On Thu, 13 Dec 2018 13:26:54 +0100, Liam Coughlin <lsc...@gm...>
wrote:
> ---------- Forwarded message ---------
> From: LIAM COUGHLIN 
> Date: Wed, Dec 12, 2018 at 11:57 PM
> Subject: Re: [Jython-users] embedding jython
> To: 
> 
> It got me a good chunk of where I needed to go.  I can effectively
> manage access to java Classes, and return bytecodefiddled classes that
> deny access to certain methods etc. so this got me 90% of the way there.
> 
> Now Im left with 2 issues relating to the fact that my scripts are
stored
> in a persistence tier and I would much rather _not_ jump through hoops
> echoing things to the local filesystem.  The first issue is that I would
> like to not be constantly recompiling my scripts when a JVM starts up. 
> There seems to be a way for me to hook into the compilation chain
capture
> the bytecode and restart the compilation chain from Py.makeClass()
> somewhere.   It will be hacky, but it will be doable.
> The second issue is a little more head scratchy.  I read through the
> jython book, cp. 8, Advanced Import Manipulation / Import Hooks.  It
> seems you can manipulate the import system quite a bit, but there doesnt
> seem to be a default way add a custom resource resolver or whatever so
> that I can pull my scripts from memory to be imported rather then off
the
> filesystem somewhere.
> I feel like I can probably attach this functionality into my custom
class
> loader, but I also feel like I might be missing something here, so I
> thought I would ask.
> Cheers-L
> 
> On Tue, Dec 11, 2018 at 5:50 PM  wrote:
> What I have done to limit which Java classes Jython code can access is
to
>  set the classloader that jython uses:
> 
>      PySystemState.initialize(properties,postProps,
>                               new String[]{""},
> getClassLoaderForJython());
> 
>  Maybe this can help you, but its probably not as secure as you need. It
>  isnt as fine grained as a running with a custom SecurityManager.  I
> dont
>  see in the Jython source any opportunity to run with a SecurityManager
>  other than the system-wide one. 
> 
>  On Tue, 11 Dec 2018 13:28:57 +0100, Liam Coughlin 
>  wrote:
>  > Hello folks,
>  > Maybe its just that my google skills are failing me, but Im having
>  > trouble finding guidance for my use case embedding jython.
>  > Essentially, I would like to use jython as an embedded scripting
>  language
>  > within my application.  That said, my application has fairly strict
>  > security and privacy constraints ( think HIPAA and PCI ) and the
> scripts
>  > will be provided by end-users of a multi-tenant application.  To that
>  > end I would like to be able to impose security constraints on what
> java
>  > classes jython scripts can import, and what methods of java classes
>  > jython scripts can call ( depending on caller context, or user
idenity
>  > etc. )
>  > In another world, I modified groovys runtime MetaClassHandle to
inject
>  > security checks into every pass through the MOP.  This allowed me to
>  > save compiled groovy code, and then just instantiate the compiled
> groovy
>  > code and execute it.
>  > It seems like I could do this with jythons PyAdapter class or
> something
>  > like that, or perhaps by overriding the classloader that is passed in
> to
>  > the systemstate when you instantiate an interpreter.  Does this sound
>  > like im on the right course?
>  > 
>  > Ideally, I would like to compile my python scripts load them as
> classes
>  > and have my security checks inserted/executed at runtime.  I would
> like
>  > to be able pre-compile things, and save the bytecode rather then
> having
>  > to compile at system start time, or compile on demand, but beggars
> cant
>  > really be choosers here -- Im more interested in whats possible then
>  > whats ideal at this point.
>  > 
>  > In any case I cant seem to find a definitive guide on how to control
>  > exposure of java elements to jython - everything seems to be geared
>  > towards exposing jython objects to java which is the reverse of my
use
>  > case.
>  > Any advice, links or any help at all really would be greatly
>  appreciated.
>  > Thanks-L
> 
>   
> 
> Links:
> ------
> [1] mailto:lsc...@gm...
> [2] mailto:jem...@fr...
> [3] mailto:jem...@fr...
> [4] mailto:lsc...@gm...