Is it possible to limit java classes accessible fr...
# scripting
s
Is it possible to limit java classes accessible from scripts to specific packages?
i
There is no specific functionality in the scripting API, but you control both compilation classpath and evaluation classloader, so you can control it with some effort.
s
Maybe I could set the actualClassLoader with reflection, but I'd need to have access to the compiled script, which is probably out of scope for the JSR engine
In the meantime, I ended up forking scripting-commons and scripting-compiler to add a
List<String>
whitelist consisting of package/class names to the
CompiledScriptClassLoader
It's not an optimal solution, but it gets the job done
i
actualClassloader
is for internal use, but you can set
baseClassLoader
instead, no reflection is needed. You probably also want to set
loadDependencies
to false and manage dependencies manually in your classloader.
s
Worked like a charm, thanks!