org.apache.velocity.util.introspection
Class SecureIntrospectorImpl
java.lang.Object
org.apache.velocity.util.introspection.IntrospectorBase
org.apache.velocity.util.introspection.Introspector
org.apache.velocity.util.introspection.SecureIntrospectorImpl
- All Implemented Interfaces:
- SecureIntrospectorControl
public class SecureIntrospectorImpl
- extends Introspector
- implements SecureIntrospectorControl
Prevent "dangerous" classloader/reflection related calls. Use this
introspector for situations in which template writers are numerous
or untrusted. Specifically, this introspector prevents creation of
arbitrary objects and prevents reflection on objects.
See documentation of checkObjectExecutePermission() for
more information on specific classes and methods blocked.
- Since:
- 1.5
- Version:
- $Id: SecureIntrospectorImpl.java 705375 2008-10-16 22:06:30Z nbubna $
- Author:
- Will Glass-Husain
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
SecureIntrospectorImpl
public SecureIntrospectorImpl(String[] badClasses,
String[] badPackages,
Log log)
getMethod
public Method getMethod(Class clazz,
String methodName,
Object[] params)
throws IllegalArgumentException
- Get the Method object corresponding to the given class, name and parameters.
Will check for appropriate execute permissions and return null if the method
is not allowed to be executed.
- Overrides:
getMethod
in class Introspector
- Parameters:
clazz
- Class on which method will be calledmethodName
- Name of method to be calledparams
- array of parameters to method
- Returns:
- Method object retrieved by Introspector
- Throws:
IllegalArgumentException
- The parameter passed in were incorrect.
checkObjectExecutePermission
public boolean checkObjectExecutePermission(Class clazz,
String methodName)
- Determine which methods and classes to prevent from executing. Always blocks
methods wait() and notify(). Always allows methods on Number, Boolean, and String.
Prohibits method calls on classes related to reflection and system operations.
For the complete list, see the properties
introspector.restrict.classes
and introspector.restrict.packages
.
- Specified by:
checkObjectExecutePermission
in interface SecureIntrospectorControl
- Parameters:
clazz
- Class on which method will be calledmethodName
- Name of method to be called
- Returns:
- true if method may be called on object
- See Also:
SecureIntrospectorControl.checkObjectExecutePermission(java.lang.Class, java.lang.String)
Copyright © 2000-2010 The Apache Software Foundation. All Rights Reserved.