SecureIntrospectorImpl (Apache Velocity 1.7 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.apache.velocity.util.introspection
Class SecureIntrospectorImpl

java.lang.Object
  org.apache.velocity.util.introspection.IntrospectorBase
      org.apache.velocity.util.introspection.Introspector
          org.apache.velocity.util.introspection.SecureIntrospectorImpl

All Implemented Interfaces:: SecureIntrospectorControl

public class SecureIntrospectorImpl
extends Introspector
implements SecureIntrospectorControl
extends Introspector
implements SecureIntrospectorControl

Prevent "dangerous" classloader/reflection related calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects and prevents reflection on objects.

See documentation of checkObjectExecutePermission() for more information on specific classes and methods blocked.

Since:: 1.5
Version:: $Id: SecureIntrospectorImpl.java 705375 2008-10-16 22:06:30Z nbubna $
Author:: Will Glass-Husain

Field Summary

Fields inherited from class org.apache.velocity.util.introspection.IntrospectorBase
`log`

Constructor Summary
`SecureIntrospectorImpl(String[] badClasses, String[] badPackages, Log log)`

Method Summary
`boolean`	`checkObjectExecutePermission(Class clazz, String methodName)` Determine which methods and classes to prevent from executing.
`Method`	`getMethod(Class clazz, String methodName, Object[] params)` Get the Method object corresponding to the given class, name and parameters.

Methods inherited from class org.apache.velocity.util.introspection.IntrospectorBase
`getIntrospectorCache`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

SecureIntrospectorImpl

public SecureIntrospectorImpl(String[] badClasses,
                              String[] badPackages,
                              Log log)

Method Detail

getMethod

public Method getMethod(Class clazz,
                        String methodName,
                        Object[] params)
                 throws IllegalArgumentException

Get the Method object corresponding to the given class, name and parameters. Will check for appropriate execute permissions and return null if the method is not allowed to be executed.

Overrides:: getMethod in class Introspector

Parameters:: clazz - Class on which method will be called; methodName - Name of method to be called; params - array of parameters to method
Returns:: Method object retrieved by Introspector
Throws:: IllegalArgumentException - The parameter passed in were incorrect.

checkObjectExecutePermission

public boolean checkObjectExecutePermission(Class clazz,
                                            String methodName)

Determine which methods and classes to prevent from executing. Always blocks methods wait() and notify(). Always allows methods on Number, Boolean, and String. Prohibits method calls on classes related to reflection and system operations. For the complete list, see the properties introspector.restrict.classes and introspector.restrict.packages.

Specified by:: checkObjectExecutePermission in interface SecureIntrospectorControl

Parameters:: clazz - Class on which method will be called; methodName - Name of method to be called
Returns:: true if method may be called on object
See Also:: SecureIntrospectorControl.checkObjectExecutePermission(java.lang.Class, java.lang.String)