Menu
I am looking to sandbox Java 8's Nashorn javascript engine. I've already discovered the --no-java flag, which helps, but I've also found the following link saying that one needs to be "running with SecurityManager enabled": http://mail.openjdk.java.net/pipermail/nashorn-dev/2013-September/002010.html
I haven't found documentation addressing how this is done with Nashorn, so how should this be done safely?
337
I know you probably don't need that anyway anymore, but for those who got here looking for an easy way to run nashorn in sandbox: if you just want to prevent scripts from using reflection, set up a ClassFilter. This way you can allow to use only SOME of the available classes... or none at all.
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
ScriptEngine scriptEngine = factory.getScriptEngine(
new String[] { "--no-java" }, //a quick way to disable direct access to java API
null, //a ClassLoader, let's just ignore it
new ClassFilter() { //this one simply forbids use of any java classes, including reflection
@Override
public boolean exposeToScripts(String string) {
return false;
}
}
);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
