Subj : Re: [Rhino] security policy To : Igor Bukanov From : Jo Date : Thu Mar 13 2003 10:25 am Igor, Igor Bukanov wrote: >> I'm trying to restrict some of the permissions of my Rhino scripts >> (Rhino14R5). >> For example I don't want my Rhino scripts to create their own class >> loaders, but of course Rhino code itself should be able to do that as >> it needs it for internal use. >> >> For that I use a Java SecurityManager and I have a policy file that >> looks like: >> >> grant codeBase "file:/.../rhino.jar" { >> permission java.lang.RuntimePermission "createClassLoader"; >> } >> >> (I also have Rhino SecurityController but with or without it, the >> problem is the same as soon as I have a SecurityManager). >> >> However it happens that I have some exceptions like: >> >> java.security.AccessControlException: access denied >> (java.lang.RuntimePermission >> createClassLoader) > > > Did you try to use > org.mozilla.javascript.tools.shell.JavaPolicySecurity, which provides an > implementation of SecurityController in Rhino shell, see > http://mozilla.org/rhino/rhino15R4.html on info how to activate it in > the shell? I tried it but unfortunately it doesn't solve my problem. I reproduce it with Rhino Shell. For example create a rhino.policy file with: grant codeBase "file:/d:/rhino1_5r4/js.jar" { permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.io.FilePermission "<>", "read"; permission java.util.PropertyPermission "*", "read"; }; then a test.js file with: importPackage(Packages.java.io); importPackage(Packages.java.lang); new Integer(2); run the following command: D:\rhino1_5R4>java -Djava.security.manager -Djava.security.policy=rhino.policy -Drhino.use_java_policy_security -jar js.jar test.js and you will get a security exception (can't create classLoader) even if the script itself doesn't call the forbidden method (but Rhino which is authorized called it). Did I miss something? Thanks. C. .