StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
1352263
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2009-08-29T20:10:51.543
FavoriteCount
0
LastActivityDate
2013-06-06T21:51:41.230
LastEditDate
2017-05-23T12:01:22.063
LastEditorUserId
-1
OwnerUserId
164874
ParentId
1347099
PostTypeId
2
Score
18
ViewCount
0
LastEditorDisplayName
text
Body
It turns out that <code>javax.scripting</code> does not offer a security framework. After some searching I found a document in Google's cache that suggested trying to use Java's <code>doPrivilegedAction</code> framework but after some experimentation, I was unable to get this to prevent the scripts from opening sockets or accessing the filesystem. After I asked this question I discovered it was previously asked here on StackOverflow: <a href="https://stackoverflow.com/questions/93911/how-can-you-run-javascript-using-rhino-for-java-in-a-sandbox">How can you run Javascript using Rhino for Java in a sandbox?</a> On that page, it falsely indicates that the Rhino included in the JDK6 has security worked out already. As I indicated, I was able to open sockets and other harmful actions from the script. In the end I abandoned <code>javax.scripting</code> and embedded Rhino directly. By building a custom <code>ContextFactory</code> that is also a <code>ClassShutter</code> I was able to achieve two results easily: <ol> <li>Restricts script execution time to a maximum time limit</li> <li>Restricts class access to those I have white-listed, which is basically <code>java.lang.*</code> and a select few classes in my server's hierarchy.</li> </ol> CodeUtopia (which I can't link to because, as a new user, I'm not allowed to link to multiple pages in a single post; but it's linked in the other StackOverflow post) was valuable in describing the <code>ClassShutter</code> architecture and Rhino's own <code>ContextFactory</code> API page describes how to build a custom <code>ContextFactory</code>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POHow do I secure scripts run using javax.scripting?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USJeffrey D. Hoffman
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POHow do I secure scripts run using javax.scripting?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.