java表达式语言,无法访问'不安全'的java方法 [英] java expression language that can't access 'unsafe' java methods
问题描述
我正在开展一个项目,我将允许用户向服务器提交小脚本,然后我将执行这些脚本。有许多脚本语言可以嵌入到Java程序中,例如mvel,ognl,uel,clojure,rhino javascript等,但据我所知,它们都允许脚本编写者调用Java构造函数,静态方法等。
I am working on a project where I will let users submit small 'scripts' to the server, and I will execute those scripts. There are many scripting languages which can be embedded into a Java program, such as mvel, ognl, uel, clojure, rhino javascript, etc., but, as far as I can tell, they all allow script writer to call Java constructors, static methods, etc.
我不希望我的用户能够调用任何我没有提供它们的东西(通常是通过某种上下文对象)。他们的大多数脚本都是算术和逻辑表达式,在某些情况下,他们需要遍历对象属性(getter / setter)或Map的内容。我只是不希望他们逃离我提供给他们的沙箱。
I don't want my users to be able to call anything which I don't provide them (usually through some sort of context object). Most of their scripts will be arithmetic and logical expressions, in some cases they will need to traverse object properties (getters/setters) or contents of a Map. I just don't want them to escape the sandbox I provide them.
有什么建议吗?
推荐答案
I think you can achieve this through using a security policy.
这篇关于java表达式语言,无法访问'不安全'的java方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!