I'm trying to sandbox JSR-223. Specifically, I don't want any script to have access to any of my classes. (I hear Rhino can do that with ClassShutter, but I want to do it generally. ie. for all script engines of JSR-223).
I first tried to use the AccessController.doPrivileged solution, by passing no permissions at all. It works for most permissions, but the scripts can still access all my public classes (it seems to ignore "package access" permission ...?).
I found this. My question is : how do I install a custom ClassLoader on the script engine ? (Or How do I replace the ClassLoader globally if I have to ?)
There is a constructor for ScriptEngineManager that takes a classloader. The classloader is used to load the scripting engine implementation. As classes inherit their classloaders, the scripting engine and any objects it creates should also use that classloader.
That classloader needs to deny the existence of any classes that are not white-listed.
Top it off with a custom SecurityManager so you can base access checks on which classloader in use.
Edit: Here's an article I found on Sandboxing Rhino in Java. Most of it should also apply to JSR-223. Sun's implementation is Rhino with modifications, so there may be some differences.
Is it possible to run the part of your application that requires the scripting engine in a separate JVM? You could start the scripting engine JVM with a different classpath (and security manager) and then use some form of lightweight message passing between the 2 JVMs.
See http://code.google.com/p/prebake/source/browse/trunk/code/src/org/prebake/js/RhinoExecutor.java and related classes in the same package, especially the SANDBOXING_FACTORY there.
That's some code that sandboxes a rhino interpreter to allow it access to the filesystem mediated by a loader.
来源:https://stackoverflow.com/questions/1399505/sandboxing-jsr-223