Permissions for eval code [jjs with support for Security Manager?]
A. Sundararajan
sundararajan.athijegannathan at oracle.com
Mon Feb 10 00:36:50 PST 2014
No. There is no plan to use Java caller's ( the code evaluating the
script) code source for scripts. The current fix is to make sure
evaluated script gets permissions given to all code. (A CodeSource with
null URL is used - which results in such permissions being given to
scripts). There is already support for script URL based security. i.e.,
if you use "load" function with a URL, the script loaded from URL gets
security permissions given for that URL (in your security policy). And
no - no signing of scripts supported.
Thanks
-Sundar
On Saturday 08 February 2014 03:07 PM, Bernd Eckenfels wrote:
> Am Fri, 07 Feb 2014 18:19:44 +0530
> schrieb "A. Sundararajan" <sundararajan.athijegannathan at oracle.com>:
>
>> Hi,
>>
>> Sorry I forgot to address the following issue. Filed a bug:
>> https://bugs.openjdk.java.net/browse/JDK-8033924
>>
>> It is bug that "eval" code does not get the default permissions.
>>
>> Thanks for reporting.
>>
>> -Sundar
> Thanks Sundar for reporting this. I wonder if it is defined what
> codebase a evaluated piece of Java code should have (besides the
> general permission settings). Is there anything planned or existing? If
> I understand the patch correctly there is no specific code source which
> can matched by policy (and no support for signing scripts).
>
> Greetings
> Bernd
More information about the nashorn-dev
mailing list