Package org.flowable.scripting.secure

Class SecureJavascriptConfigurator

  • All Implemented Interfaces:
    org.flowable.common.engine.impl.EngineConfigurator
    public class SecureJavascriptConfigurator
extends AbstractProcessEngineConfigurator
    Author:
    Joram Barrez

    • Field Detail

      • enableClassWhiteListing

        protected boolean enableClassWhiteListing
        When true, by default all classes will be blacklisted and all classes that want to be used will need to be whitelisted individually.

      • whiteListedClasses

        protected Set<String> whiteListedClasses
        Whitelisted classes for script execution. By default empty (i.e. everything is blacklisted) From the Rhino ClassShutter javadoc: Due to the fact that there is no package reflection in Java, this method will also be called with package names. There is no way for Rhino to tell if "Packages.a.b" is a package name or a class that doesn't exist. What Rhino does is attempt to load each segment of "Packages.a.b.c": It first attempts to load class "a", then attempts to load class "a.b", then finally attempts to load class "a.b.c". On a Rhino installation without any ClassShutter set, and without any of the above classes, the expression "Packages.a.b.c" will result in a [JavaPackage a.b.c] and not an error. With ClassShutter supplied, Rhino will first call visibleToScripts before attempting to look up the class name. If visibleToScripts returns false, the class name lookup is not performed and subsequent Rhino execution assumes the class is not present. So for "java.lang.System.out.println" the lookup of "java.lang.System" is skipped and thus Rhino assumes that "java.lang.System" doesn't exist. So then for "java.lang.System.out", Rhino attempts to load the class "java.lang.System.out" because it assumes that "java.lang.System" is a package name.

      • maxScriptExecutionTime

        protected long maxScriptExecutionTime
        The maximum time (in ms) that a script is allowed to execute before stopping it. By default disabled.

      • maxStackDepth

        protected int maxStackDepth
        Limits the stack depth while calling functions within the script. By default disabled.

      • maxMemoryUsed

        protected long maxMemoryUsed
        Limits the memory used by the script. If the memory limit is reached, an exception will be thrown and the script will be stopped.

      • nrOfInstructionsBeforeStateCheckCallback

        protected int nrOfInstructionsBeforeStateCheckCallback
        The maximum script execution time and memory usage is implemented using a callback that is called every x instructions of the script. Note that these are not script instructions, but java byte code instructions (which means one script line can be thousands of byte code instructions!).

      • scriptOptimizationLevel

        protected int scriptOptimizationLevel
        By default, no script optimization is applied. Change this setting to change the Rhino script optimization level. Note: some simple performance tests seem to indicate that for basic scripts upping this value actually has worse results ... Note: if using a maxStackDepth setting, the script optimization level will always be -1.

      • enableAccessToBeans

        protected boolean enableAccessToBeans
        When true, access to beans in AbstractEngineConfiguration.beans is enabled. By default disabled

    • Constructor Detail

      • SecureJavascriptConfigurator

        public SecureJavascriptConfigurator()

    • Method Detail

      • beforeInit

        public void beforeInit​(org.flowable.common.engine.impl.AbstractEngineConfiguration engineConfiguration)
        Specified by:
        beforeInit in interface org.flowable.common.engine.impl.EngineConfigurator
        Overrides:
        beforeInit in class AbstractProcessEngineConfigurator

      • initSecureScriptContextFactory

        protected void initSecureScriptContextFactory()

      • isEnableClassWhiteListing

        public boolean isEnableClassWhiteListing()

      • getWhiteListedClasses

        public Set<String> getWhiteListedClasses()

      • getMaxScriptExecutionTime

        public long getMaxScriptExecutionTime()

      • getNrOfInstructionsBeforeStateCheckCallback

        public int getNrOfInstructionsBeforeStateCheckCallback()

      • setNrOfInstructionsBeforeStateCheckCallback

        public SecureJavascriptConfigurator setNrOfInstructionsBeforeStateCheckCallback​(int nrOfInstructionsBeforeStateCheckCallback)

      • getMaxStackDepth

        public int getMaxStackDepth()

      • getMaxMemoryUsed

        public long getMaxMemoryUsed()

      • getScriptOptimizationLevel

        public int getScriptOptimizationLevel()

      • isEnableAccessToBeans

        public boolean isEnableAccessToBeans()