public class SecureIntrospectorImpl extends Introspector implements SecureIntrospectorControl
Prevent "dangerous" classloader/reflection related calls. Use this introspector for situations in which template writers are numerous or untrusted. Specifically, this introspector prevents creation of arbitrary objects and prevents reflection on objects.
See documentation of checkObjectExecutePermission() for more information on specific classes and methods blocked.
Modifier and Type | Field and Description |
---|---|
private java.lang.String[] |
badClasses |
private java.lang.String[] |
badPackages |
log
Constructor and Description |
---|
SecureIntrospectorImpl(java.lang.String[] badClasses,
java.lang.String[] badPackages,
org.slf4j.Logger log) |
Modifier and Type | Method and Description |
---|---|
boolean |
checkObjectExecutePermission(java.lang.Class<?> clazz,
java.lang.String methodName)
Determine which methods and classes to prevent from executing.
|
java.lang.reflect.Method |
getMethod(java.lang.Class<?> clazz,
java.lang.String methodName,
java.lang.Object[] params)
Get the Method object corresponding to the given class, name and parameters.
|
getField, getIntrospectorCache
private java.lang.String[] badClasses
private java.lang.String[] badPackages
public SecureIntrospectorImpl(java.lang.String[] badClasses, java.lang.String[] badPackages, org.slf4j.Logger log)
public java.lang.reflect.Method getMethod(java.lang.Class<?> clazz, java.lang.String methodName, java.lang.Object[] params) throws java.lang.IllegalArgumentException
getMethod
in class Introspector
clazz
- Class on which method will be calledmethodName
- Name of method to be calledparams
- array of parameters to methodjava.lang.IllegalArgumentException
- The parameter passed in were incorrect.public boolean checkObjectExecutePermission(java.lang.Class<?> clazz, java.lang.String methodName)
introspector.restrict.classes
and introspector.restrict.packages
.checkObjectExecutePermission
in interface SecureIntrospectorControl
clazz
- Class on which method will be calledmethodName
- Name of method to be calledSecureIntrospectorControl.checkObjectExecutePermission(java.lang.Class, java.lang.String)