Class OptInTemplateClassResolver

    • Constructor Detail

      • OptInTemplateClassResolver

        public OptInTemplateClassResolver​(java.util.Set allowedClasses,
                                          java.util.List trustedTemplates)
        Creates a new instance.
        Parameters:
        allowedClasses - the Set of String-s that contains the full-qualified names of the allowed classes. Can be null (means not class is allowed).
        trustedTemplates - the List of String-s that contains template names (i.e., template root directory relative paths) and prefix patterns (like "include/*") of templates for which TemplateClassResolver.SAFER_RESOLVER will be used (which is not as safe as OptInTemplateClassResolver). The list items need not start with "/" (if they are, it will be removed). List items ending with "*" are treated as prefixes (i.e. "foo*" matches "foobar", "foo/bar/baaz", "foowhatever/bar/baaz", etc.). The "*" has no special meaning anywhere else. The matched template name is the name (template root directory relative path) of the template that directly (lexically) contains the operation (like ?new) that wants to get the class. Thus, if a trusted template includes a non-trusted template, the allowedClasses restriction will apply in the included template. This parameter can be null (means no trusted templates).
    • Method Detail

      • resolve

        public java.lang.Class resolve​(java.lang.String className,
                                       Environment env,
                                       Template template)
                                throws TemplateException
        Description copied from interface: TemplateClassResolver
        Gets a Class based on the class name.
        Specified by:
        resolve in interface TemplateClassResolver
        Parameters:
        className - the full-qualified class name
        env - the environment in which the template executes
        template - the template where the operation that require the class resolution resides in. This is null if the call doesn't come from a template.
        Throws:
        TemplateException - if the class can't be found or shouldn't be accessed from a template for security reasons.
      • safeGetTemplateName

        protected java.lang.String safeGetTemplateName​(Template template)
        Extract the template name from the template object which will be matched against the trusted template names and pattern.