Package org.apache.velocity.util.introspection

Class SecureUberspector

  • All Implemented Interfaces:
    Uberspect, RuntimeServicesAware
    public class SecureUberspector
extends UberspectImpl
    Use a custom introspector that prevents classloader related method calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects or reflection on objects.

    To use this introspector, set the following property: 

     introspector.uberspect.class = org.apache.velocity.util.introspection.SecureUberspector
    Since:
    1.5
    Version:
    $Id$
    Author:
    Will Glass-Husain

    • Constructor Detail

      • SecureUberspector

        public SecureUberspector()

    • Method Detail

      • init

        public void init()
        init - generates the Introspector. As the setup code makes sure that the log gets set before this is called, we can initialize the Introspector using the log object.
        Specified by:
        init in interface Uberspect
        Overrides:
        init in class UberspectImpl

      • getIterator

        public Iterator getIterator​(Object obj,
                            Info i)
        Get an iterator from the given object. Since the superclass method this secure version checks for execute permission.
        Specified by:
        getIterator in interface Uberspect
        Overrides:
        getIterator in class UberspectImpl
        Parameters:
        obj - object to iterate over
        i - line, column, template info
        Returns:
        Iterator for object