[Jython-users] Jython interpreter access from EJB (access denied)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi jython-users.

I'm trying to implement a jython-based scripting service in the middle tier
of a J2EE application. I have a basic "test" setup consisting of:

1) A stateful EJB session bean deployed in the "standard" J2EE application
server,
2) A test client J2EE application, accessing that session bean, calling for
a simple script execution.

Setup 1) includes the jython.jar file, so the server should have access to
the jython class files. Also, my small test client app get as far as
obtaining the EJB object reference, but when it attempts to instantiate a
new jython interpreter, like this:

	JythonInterpreter interp = new JythonInterpreter();

it catches the following exception:

java.rmi.ServerException: RemoteException occurred in server thread; nested
exception is:
	java.rmi.RemoteException: Unknown Exception/Error thrown by EJB
method.; nested exception is:
		java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)

--- I.e. I'm not even getting to execute an actual script.

Clearly, with a jython scripting engine server-side one could imagine all
kinds of not-so-funny things possible (which is why - I guess - I get the
security exception), but in my case all I really need to do have is
read-only access to the EJB's comprising my application (for validation
purposes).

Now, I have two questions:

- What is it more specifically that makes an instantiation of a new jython
interpreter cause a security exception?
- Is it at all reasonable (possible) to build a jython scripting service in
the middle-tier, as sketched above?

Thanks in advance!!!

Thomas