Rhino itself doesn't need many permissions; most notably you'll need java.security.RuntimePermission "getClassLoader" java.security.PropertyPermission "line.separator", "read"
Additionally, if you're using compiled mode (where it generates classes) instead of interpreted mode, *or* you're using PolicySecurityController (you probably do) you'll also need: java.security.RuntimePermission "createClassLoader" If you are using compiled mode, but you do not use PolicySecurityController, you'll also need java.security.RuntimePermission "getProtectionDomain" If you run into another one missing, please report it to us! If you want to further refine things, you can have scripts run with different permissions than the engine itself. To do that, install an instance of PolicySecurityController into your Contexts as the Rhino security controller, then when you're compiling scripts, pass a java.security.CodeSource object as the last argument to Context.compileXxx() method you're using. Now you can specify java.policy entries for .js files too! The PolicySecurityController will assign them permissions based on their CodeSource and the java.policy - this works both for compiled and interpreted mode. Of course, it's your trusted code that calls Context.compileXxx() so make sure you're creating correct CodeSource objects; their validity is trusted. Hope that helps. Attila. -- home: http://www.szegedi.org twitter: http://twitter.com/szegedi weblog: http://constc.blogspot.com On 2010.02.13., at 3:35, Tony Zakula wrote: > I am kind of new to rhino. I am using a rhino based scripting > framework in a servlet environment. I would like to run untrusted > javascript code and so would like to restrict the code with a security > manager. Does anyone have a basic security policy file to start with, > or a list of permissions rhino needs. Or maybe a suggestion about how > to go about accomplishing this? Thanks for any advice. > Tony > _______________________________________________ > dev-tech-js-engine-rhino mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
