Class SecureIntrospectorImpl

  extended by org.apache.velocity.util.introspection.IntrospectorBase
      extended by org.apache.velocity.util.introspection.Introspector
          extended by org.apache.velocity.util.introspection.SecureIntrospectorImpl
All Implemented Interfaces:
IntrospectorCacheListener, SecureIntrospectorControl

public class SecureIntrospectorImpl
extends Introspector
implements SecureIntrospectorControl

Prevent "dangerous" classloader/reflection related calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects and prevents reflection on objects.

See documentation of checkObjectExecutePermission() for more information on specific classes and methods blocked.

$Id: 509906 2007-02-21 06:11:05Z wglass $
Will Glass-Husain

Field Summary
Fields inherited from class org.apache.velocity.util.introspection.Introspector
Fields inherited from class org.apache.velocity.util.introspection.IntrospectorBase
Constructor Summary
SecureIntrospectorImpl(String[] badClasses, String[] badPackages, Log log)
Method Summary
 boolean checkObjectExecutePermission(Class clazz, String methodName)
          Determine which methods and classes to prevent from executing.
 Method getMethod(Class clazz, String methodName, Object[] params)
          Get the Method object corresponding to the given class, name and parameters.
Methods inherited from class org.apache.velocity.util.introspection.Introspector
Methods inherited from class org.apache.velocity.util.introspection.IntrospectorBase
clearCache, createClassMap, getIntrospectorCache, lookupClassMap, triggerGet, triggerPut
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail


public SecureIntrospectorImpl(String[] badClasses,
                              String[] badPackages,
                              Log log)
Method Detail


public Method getMethod(Class clazz,
                        String methodName,
                        Object[] params)
                 throws IllegalArgumentException
Get the Method object corresponding to the given class, name and parameters. Will check for appropriate execute permissions and return null if the method is not allowed to be executed.

getMethod in class Introspector
clazz - Class on which method will be called
methodName - Name of method to be called
params - array of parameters to method
Method object retrieved by Introspector
IllegalArgumentException - The parameter passed in were incorrect.


public boolean checkObjectExecutePermission(Class clazz,
                                            String methodName)
Determine which methods and classes to prevent from executing. Always blocks methods wait() and notify(). Always allows methods on Number, Boolean, and String. Prohibits method calls on classes related to reflection and system operations. For the complete list, see the properties introspector.restrict.classes and introspector.restrict.packages.

Specified by:
checkObjectExecutePermission in interface SecureIntrospectorControl
clazz - Class on which method will be called
methodName - Name of method to be called
true if method may be called on object
See Also:
SecureIntrospectorControl.checkObjectExecutePermission(java.lang.Class, java.lang.String)

Copyright © 2000-2007 The Apache Software Foundation. All Rights Reserved.