...
| Code Block | ||
|---|---|---|
| ||
class ACC {
private static class RestrictedAccessControlContext {
private static final AccessControlContext INSTANCE;
static {
INSTANCE = new AccessControlContext(new ProtectionDomain[] {
new ProtectionDomain[] { new ProtectionDomain(null, null) // No permissions
});
}
}
}
private static void evalScript(final String firstName)
throws ScriptException {
ScriptEngineManager manager = new ScriptEngineManager();
final ScriptEngine engine = manager.getEngineByName("javascript");
// Restrict permission using the two-argument form of doPrivileged()
try {
AccessController.doPrivileged(
new PrivilegedExceptionActionPrivilegedExceptionAction<Object>() {
public Object run() throws ScriptException {
engine.eval("print('" + firstName + "')");
return null;
}
}, RestrictedAccessControlContext.INSTANCE); // From nested class
} catch (PrivilegedActionException pae) {
// Handle
} }
}
}
|
This approach could be combined with whitelisting white-listing for extra security.
Applicability
...