如何从Nashorn引擎中删除java apis？ [英] How to remove java apis from Nashorn-engine?

问题描述

是否可以在nashorn-engine中隐藏或删除java api？
因此它只能看到或使用默认ECMAScript 262 Edition 5.1以及一些特别暴露的函数/变量？

Is it possible to hide or remove java api's from nashorn-engine? So that it could only see or use "default" ECMAScript 262 Edition 5.1 with some especially exposed functions / variables?

我想让我的最终用户为他们自己创建一些特定的逻辑，而不用担心他们会破解整个系统。当然在nashorn引擎中可能存在一些安全漏洞等，但这是不同的主题。

I would like to let my endusers create some specific logic for their own without worrying they could hack the whole system. Of course there might be some security holes in the nashorn engine etc. but that is the different topic.

编辑：对不起我忘了提到我在我的内部运行nashorn java应用程序，所以不能使用命令行参数。

Sorry I forgot to mention that I am running nashorn inside my java application, so no commandline parameters can be used.

推荐答案

好的，这里是带有一些限制参数的示例类：

OK, here is sample class with some limiting arguments:

package com.pasuna;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Random;
import javax.script.Invocable;
import javax.script.ScriptEngine;
import javax.script.ScriptException;
import jdk.nashorn.api.scripting.NashornScriptEngineFactory;

public class ScriptTest {

    public static class Logger {
        public void log(String message) {
            System.out.println(message);
        }
    }

    public static class Dice {
        private Random random = new Random();
        public int D6() {
            return random.nextInt(6) + 1;
        }
    }

    public static void main(String[] args) {
        NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
        ScriptEngine engine = factory.getScriptEngine(new String[]{"-strict", "--no-java", "--no-syntax-extensions"});
        //note final, does not work.
        final Dice dice = new Dice();
        final Logger logger = new Logger();
        engine.put("dice", dice);
        engine.put("log", logger);
        engine.put("hello", "world");
        try {

            engine.eval("log.log(hello);");
            engine.eval("log.log(Object.keys(this));");

            engine.eval("log.log(dice.D6());"
                    + "log.log(dice.D6());"
                    + "log.log(dice.D6());");

            engine.eval("log.log(Object.keys(this));");
            engine.eval("Coffee"); //boom as should
            engine.eval("Java"); //erm? shoud boom?
            engine.eval("log = 1;"); //override final, boom, nope
            engine.eval("log.log(hello);"); //boom
        } catch (final ScriptException ex) {
            ex.printStackTrace();
        }
        BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
        String input = "";
        do {
            try {
                input = br.readLine();
                engine.eval(input);
            } catch (final ScriptException | IOException se) {
                se.printStackTrace();
            }
        } while (!input.trim().equals("quit"));

        try {
            engine.eval("var add = function(first, second){return first + second;};");
            Invocable invocable = (Invocable) engine;
            Object result = invocable.invokeFunction("add", 1, 2);
            System.out.println(result);

        } catch (final NoSuchMethodException | ScriptException se) {
            se.printStackTrace();
        }
        Object l = engine.get("log");
        System.out.println(l == logger);
    }
}

有关标志的更多信息，请点击此处：< a href =http://hg.openjdk.java.net/jdk8/jdk8/nashorn/rev/eb7b8340ce3a =noreferrer> http://hg.openjdk.java.net/jdk8/jdk8/nashorn/ rev / eb7b8340ce3a

more info about flags can be found from here: http://hg.openjdk.java.net/jdk8/jdk8/nashorn/rev/eb7b8340ce3a

（imash atm nashorn文档很差）

(imho atm the nashorn documentation is poor)

这篇关于如何从Nashorn引擎中删除java apis？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！