Class SecureIntrospectorImpl

  • All Implemented Interfaces:
    SecureIntrospectorControl

    public class SecureIntrospectorImpl
    extends Introspector
    implements SecureIntrospectorControl

    Prevent "dangerous" classloader/reflection related calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects and prevents reflection on objects.

    See documentation of checkObjectExecutePermission() for more information on specific classes and methods blocked.

    Since:
    1.5
    Version:
    $Id: SecureIntrospectorImpl.java 705375 2008-10-16 22:06:30Z nbubna $
    • Field Summary

      Fields 
      Modifier and Type Field Description
      private java.lang.String[] badClasses  
      private java.lang.String[] badPackages  
    • Constructor Summary

      Constructors 
      Constructor Description
      SecureIntrospectorImpl​(java.lang.String[] badClasses, java.lang.String[] badPackages, Log log)  
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean checkObjectExecutePermission​(java.lang.Class clazz, java.lang.String methodName)
      Determine which methods and classes to prevent from executing.
      java.lang.reflect.Method getMethod​(java.lang.Class clazz, java.lang.String methodName, java.lang.Object[] params)
      Get the Method object corresponding to the given class, name and parameters.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • badClasses

        private java.lang.String[] badClasses
      • badPackages

        private java.lang.String[] badPackages
    • Constructor Detail

      • SecureIntrospectorImpl

        public SecureIntrospectorImpl​(java.lang.String[] badClasses,
                                      java.lang.String[] badPackages,
                                      Log log)
    • Method Detail

      • getMethod

        public java.lang.reflect.Method getMethod​(java.lang.Class clazz,
                                                  java.lang.String methodName,
                                                  java.lang.Object[] params)
                                           throws java.lang.IllegalArgumentException
        Get the Method object corresponding to the given class, name and parameters. Will check for appropriate execute permissions and return null if the method is not allowed to be executed.
        Overrides:
        getMethod in class Introspector
        Parameters:
        clazz - Class on which method will be called
        methodName - Name of method to be called
        params - array of parameters to method
        Returns:
        Method object retrieved by Introspector
        Throws:
        java.lang.IllegalArgumentException - The parameter passed in were incorrect.
      • checkObjectExecutePermission

        public boolean checkObjectExecutePermission​(java.lang.Class clazz,
                                                    java.lang.String methodName)
        Determine which methods and classes to prevent from executing. Always blocks methods wait() and notify(). Always allows methods on Number, Boolean, and String. Prohibits method calls on classes related to reflection and system operations. For the complete list, see the properties introspector.restrict.classes and introspector.restrict.packages.
        Specified by:
        checkObjectExecutePermission in interface SecureIntrospectorControl
        Parameters:
        clazz - Class on which method will be called
        methodName - Name of method to be called
        Returns:
        true if method may be called on object
        See Also:
        SecureIntrospectorControl.checkObjectExecutePermission(java.lang.Class, java.lang.String)