Package freemarker.ext.beans
Class WhitelistMemberAccessPolicy
- java.lang.Object
-
- freemarker.ext.beans.MemberSelectorListMemberAccessPolicy
-
- freemarker.ext.beans.WhitelistMemberAccessPolicy
-
- All Implemented Interfaces:
MemberAccessPolicy
public class WhitelistMemberAccessPolicy extends MemberSelectorListMemberAccessPolicy
Whitelist-based member access policy, that is, only members that are matched by the listing will be exposed. Note thatBeansWrapper
and its subclasses doesn't discover all members on the first place, and theMemberAccessPolicy
just removes from that set of members, never adds to it.The whitelist content is usually application specific, and can be significant work to put together, but it's the only way you can achieve any practical safety when you don't fully trust the users who can edit templates.
See more about the rules at
MemberSelectorListMemberAccessPolicy
.TemplateAccessible
annotation may be used to add members to the whitelist.Of course, this only can deal with the
ObjectWrapper
aspect of safety; please check the Manual to see what else is needed. Also, since this is related to security, read the documentation ofMemberAccessPolicy
, to know about the pitfalls and edge cases related toMemberAccessPolicy
-es in general.- Since:
- 2.3.30
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class freemarker.ext.beans.MemberSelectorListMemberAccessPolicy
MemberSelectorListMemberAccessPolicy.MemberSelector
-
-
Constructor Summary
Constructors Constructor Description WhitelistMemberAccessPolicy(java.util.Collection<? extends MemberSelectorListMemberAccessPolicy.MemberSelector> memberSelectors)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
isToStringAlwaysExposed()
If this returnstrue
, we won't invoke the probably more expensive lookup to figure out ifObject.toString()
(including its overridden variants) is exposed for a given object.-
Methods inherited from class freemarker.ext.beans.MemberSelectorListMemberAccessPolicy
forClass
-
-
-
-
Constructor Detail
-
WhitelistMemberAccessPolicy
public WhitelistMemberAccessPolicy(java.util.Collection<? extends MemberSelectorListMemberAccessPolicy.MemberSelector> memberSelectors)
- Parameters:
memberSelectors
- List of member selectors; seeMemberSelectorListMemberAccessPolicy
class-level documentation for more.
-
-
Method Detail
-
isToStringAlwaysExposed
public boolean isToStringAlwaysExposed()
Description copied from interface:MemberAccessPolicy
If this returnstrue
, we won't invoke the probably more expensive lookup to figure out ifObject.toString()
(including its overridden variants) is exposed for a given object. If this returnsfalse
, then no such optimization is made. This method was introduced asObject.toString()
is called frequently, as it's used whenever an object is converted to string, like printed to the output, and it's not even a reflection-based call (we just callObject.toString()
in Java). So we try to avoid the overhead of a more generic method call.
-
-