Class SecureIntrospectorImpl
java.lang.Object
org.apache.velocity.util.introspection.IntrospectorBase
org.apache.velocity.util.introspection.Introspector
org.apache.velocity.util.introspection.SecureIntrospectorImpl
- All Implemented Interfaces:
SecureIntrospectorControl
Prevent "dangerous" classloader/reflection related calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects and prevents reflection on objects.
See documentation of checkObjectExecutePermission() for more information on specific classes and methods blocked.
- Since:
- 1.5
- Version:
- $Id$
- Author:
- Will Glass-Husain
-
Field Summary
Fields inherited from class org.apache.velocity.util.introspection.IntrospectorBase
log
-
Constructor Summary
ConstructorDescriptionSecureIntrospectorImpl
(String[] badClasses, String[] badPackages, org.slf4j.Logger log) -
Method Summary
Modifier and TypeMethodDescriptionboolean
checkObjectExecutePermission
(Class<?> clazz, String methodName) Determine which methods and classes to prevent from executing.Get the Method object corresponding to the given class, name and parameters.Methods inherited from class org.apache.velocity.util.introspection.IntrospectorBase
getField, getIntrospectorCache
-
Constructor Details
-
SecureIntrospectorImpl
-
-
Method Details
-
getMethod
public Method getMethod(Class<?> clazz, String methodName, Object[] params) throws IllegalArgumentException Get the Method object corresponding to the given class, name and parameters. Will check for appropriate execute permissions and return null if the method is not allowed to be executed.- Overrides:
getMethod
in classIntrospector
- Parameters:
clazz
- Class on which method will be calledmethodName
- Name of method to be calledparams
- array of parameters to method- Returns:
- Method object retrieved by Introspector
- Throws:
IllegalArgumentException
- The parameter passed in were incorrect.
-
checkObjectExecutePermission
Determine which methods and classes to prevent from executing. Always blocks methods wait() and notify(). Always allows methods on Number, Boolean, and String. Prohibits method calls on classes related to reflection and system operations. For the complete list, see the propertiesintrospector.restrict.classes
andintrospector.restrict.packages
.- Specified by:
checkObjectExecutePermission
in interfaceSecureIntrospectorControl
- Parameters:
clazz
- Class on which method will be calledmethodName
- Name of method to be called- Returns:
- true if method may be called on object
- See Also:
-