Hi folks,
Suppose I build a SOAP service that runs Jelly scripts (i.e. the client
calls the service/method and passes in the Jelly script to be executed). I
want the client to be able to use core Jelly tags but I don't want them to
do things like:
<j:new className="my.choice.of.destructive.Classes" action="deleteStuff" />
How can I control the environment / class access?
I tried this:
context.setClassLoader(new MyLoader());
with the loader class like so to filter out classes I want to allow:
public class MyLoader extends ClassLoader {
public Class loadClass(String name) throws ClassNotFoundException {
System.out.println("loading class = " + name);
if (name.startsWith("org.apache.commons.jelly.tags.")) return
super.loadClass(name);
else throw new ClassNotFoundException("Class not authorized");
}
}
but the only classes this loader loads are:
org.apache.commons.jelly.tags.define.DefineTagLibrary
org.apache.commons.jelly.tags.core.CoreTagLibrary
Any ideas?
Thanks.
Daryl Stultz
_____________________________________
6 Degrees Software and Consulting, Inc.
http://www.6degrees.com
mailto:[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
