On 17 août, 10:23, RhinoUser95 Rhino <[email protected]> wrote: > In fact, I have backported the API to work with the JDK 5. I don't use > Rhino, provided with the jdk 6, but the version 1.6R7 downloaded on > the mozilla site. > > On 11 août, 19:27, Attila Szegedi <[email protected]> wrote: > > > Problem is, the Rhino bundled with Java 6 is a quite heavily modified > > version and we don't know much about it. With plain Rhino, you'd be > > able to use PolicySecurityController to enforce Java security policy > > even on a per-script basis. I have no idea how much of these > > mechanisms is actually exposed through the scripting API. > > > Attila. > > > On 2009.08.11., at 15:50, RhinoUser95 Rhino wrote: > > > > Hi everybody, > > > > Perhaps you know that since the version 6 of java, the JDK provides > > > now a scripting API (javax.script) which enables the execution of > > > differents script language, including the JavaScript through RHINO. I > > > work currently on the development of a web application, which allows, > > > for users, to execute their own scripts. Of course we need to forbid > > > the use of differents package for the security of our application. > > > That's why we have think to use the security property > > > "access.package" ,available in the java.security file present in the > > > JRE, and which list all packages which are banned in my class. This > > > behaviour operates perfectly in my class but works partially when the > > > script is interpreted through the method eval() of the same scripting > > > API : In fact, in the packages "blacklisted", only the packages from > > > the JDK, causes an exception during the instanciation of the objects. > > > There are no exceptions when we instantiate objects from our own > > > packages "com.foo" but also "blacklisted" ;( > > > > My question is the following : Does Rhino has its own classloader to > > > import the packages java (through the method importPackage() ) ? And > > > if yes, why this same classloader doesn't calls the security manager ? > > > > I hope it's enough clear to understand my situation... > > > > Thank you in advance ;) > > > > Technical details : My application server is "weblogic 10.0"
I have the same problem even if i use the PolicySecurityController... Moreover the problem is present when my class is tested through weblogic by a JEE application, but not when my class is used by a simple JSE application. Perhaps, it is a problem at the level of the classloader's weblogic... My question is the following : Does Rhino has its own classloader to import the packages java (through the method importPackage() ) ? And if yes, it's possible that this same classloader delegates the loading of a class at a parent loader, that can be the classloader's weblogic ? Thank you in advance ;) + _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
