Subj : Re: Rhino Security AccessControlContext To : Larry Blanchette From : Igor Bukanov Date : Wed Apr 07 2004 11:37 am Larry Blanchette wrote: > I'm using Rhino 1.5R5/Sun's JVM 1.4.1 and am having trouble resolving how > protection domains are applied in Rhino. I found some comment on security > on Batik but details were missing and wondered if my situation is related > > If I load a security policy & manager dynamically in my app the protection > domain is applied faithfully. I properly get access denied when my script > attempts to access jars it does not have read permissions for. > > If I load the same policy/manager via JVM command line the script is able to > access non-permissioned jars/classes, I must rely on ClassShutter to enforce > restrictions (which actually is cool, but why does it work like this?). > I've been stabbing at this for a bit and I was wondering if anyone had an > explanation? Could you provide details about your security policy setup and how do you access Java classes from your script? > > In both cases the proper restricted AccessControlContext is passed in the > doPrivileged call in callWithDomain. If you are really going to allow to run untrusted scripts in your application, then if all your scripts are going to be executed with the least possible privileges, your implementation of org.mozilla.javascript.SecurityController is probably fine. On the other hand if you are going to allow to mix trusted and untrusted scripts, please have a look at org.mozilla.javascript.tools.shell.JavaPolicySecurity , http://lxr.mozilla.org/mozilla/source/js/rhino/toolsrc/org/mozilla/javascript/tools/shell/JavaPolicySecurity.java , which contains the default implementation of SecurityController that supports domain mixing. The implementation is rather complex due to lack of direct support for dropping privileges dynamically in Java API. And in any case you need to install ClassShutter to deny access from scripts to any class which name starts with org.mozilla.javascript. Regrads, Igor .