embedded security: jaas, and killing evaluation?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

embedded security: jaas, and killing evaluation?

Erik Bunn-2


I have a couple of questions about embedding BeanShell that I didn't  
find answered with a quick scan of the archives.

First, security via JAAS and a SecurityManager. I need to prevent a  
script from reading files, using sockets, or calling System.exit().
I've managed to set up a dummy Subject with a custom  
ScriptingPrincipal whose context the BSH code is run in, and my  
security policy and JAAS configuration do more or less what I need.

More or less; there are still a couple of shaky spots in there, and  
I'd like to hear how others have gone about this task.
(Conversely, if anyone needs info on how to do this, drop me an email.)

Second, interrupting script execution: I also need to catch runaway  
scripts, both to prevent runaway loops and recursions, and in general  
just to avoid too computing intensive scripting tasks. (If that  
happens, I'll just need to provide an alternative to scripting a  
particular task.)
The JDK 1.5 concurrency utilities provide nice tools to assign worker  
threads and control timeouts, but browsing the sources and JavaDocs,  
I see no way of telling the bsh Interpreter to actually kill a  
running evaluation.

Is this correct? I've considered patching the source and adding an  
interrupt check, but it's not immediately obvious where in the  
interpreter code this would go; has anyone else done or explored this?

Other than these two stumbling blocks, bsh has been very handy, and  
answers our needs. Thanks to all involved;

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
Beanshell-users mailing list
[hidden email]