[JEXL] white list classes, not by interfaces?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[JEXL] white list classes, not by interfaces?

Woonsan Ko-3
Hi,

I'm experimenting it with JexlSandbox (for blackbox mode) of v3.1 like
the following example:

    JexlSandbox sandbox = new JexlSandbox(false);
    sandbox.white(IFoo.class.getName());
    // ...
    JexlEngine engine = new JexlBuilder().sandbox(sandbox).create();

But if I put an instance of FooImpl (implementing IFoo interface) for
instance, the JEXL interpreter doesn't seem to be able to resolve
IFoo's methods. If I add FooImpl.class.getName() to the white list,
then it starts resolving the method call without a problem.
So, I assume the sandbox permission handling might be checking the
implementation class name only. Is it true? If so, wouldn't it be nice
if it can check its interfaces as well?
When providing an interpreting env using JEXL, I think it's very
common to separate the interfaces from various implementations.

Regards,

Woonsan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [JEXL] white list classes, not by interfaces?

Woonsan Ko-3
I've created a ticket for this:
- https://issues.apache.org/jira/browse/JEXL-253

Cheers,

Woonsan


On Thu, Oct 19, 2017 at 10:09 AM, Woonsan Ko <[hidden email]> wrote:

> Hi,
>
> I'm experimenting it with JexlSandbox (for blackbox mode) of v3.1 like
> the following example:
>
>     JexlSandbox sandbox = new JexlSandbox(false);
>     sandbox.white(IFoo.class.getName());
>     // ...
>     JexlEngine engine = new JexlBuilder().sandbox(sandbox).create();
>
> But if I put an instance of FooImpl (implementing IFoo interface) for
> instance, the JEXL interpreter doesn't seem to be able to resolve
> IFoo's methods. If I add FooImpl.class.getName() to the white list,
> then it starts resolving the method call without a problem.
> So, I assume the sandbox permission handling might be checking the
> implementation class name only. Is it true? If so, wouldn't it be nice
> if it can check its interfaces as well?
> When providing an interpreting env using JEXL, I think it's very
> common to separate the interfaces from various implementations.
>
> Regards,
>
> Woonsan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]