Class SecureIntrospectorImpl

All Implemented Interfaces:
SecureIntrospectorControl

public class SecureIntrospectorImpl extends Introspector implements SecureIntrospectorControl

Prevent "dangerous" classloader/reflection related calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects and prevents reflection on objects.

See documentation of checkObjectExecutePermission() for more information on specific classes and methods blocked.

Since:
1.5
Version:
$Id$
Author:
Will Glass-Husain
  • Constructor Details

    • SecureIntrospectorImpl

      public SecureIntrospectorImpl(String[] badClasses, String[] badPackages, org.slf4j.Logger log)
  • Method Details

    • getMethod

      public Method getMethod(Class<?> clazz, String methodName, Object[] params) throws IllegalArgumentException
      Get the Method object corresponding to the given class, name and parameters. Will check for appropriate execute permissions and return null if the method is not allowed to be executed.
      Overrides:
      getMethod in class Introspector
      Parameters:
      clazz - Class on which method will be called
      methodName - Name of method to be called
      params - array of parameters to method
      Returns:
      Method object retrieved by Introspector
      Throws:
      IllegalArgumentException - The parameter passed in were incorrect.
    • checkObjectExecutePermission

      public boolean checkObjectExecutePermission(Class<?> clazz, String methodName)
      Determine which methods and classes to prevent from executing. Always blocks methods wait() and notify(). Always allows methods on Number, Boolean, and String. Prohibits method calls on classes related to reflection and system operations. For the complete list, see the properties introspector.restrict.classes and introspector.restrict.packages.
      Specified by:
      checkObjectExecutePermission in interface SecureIntrospectorControl
      Parameters:
      clazz - Class on which method will be called
      methodName - Name of method to be called
      Returns:
      true if method may be called on object
      See Also: