18 Nov
2008
18 Nov
'08
4:53 p.m.
My take is 1) for now (i.e. 1.7) and you prepare a generic design
proposal for 1.8 regarding script security and API access in general
(API that don't require special rights and "privileged" APIs).
WDYT?
Thanks
-Vincent
On Nov 18, 2008, at 4:48 PM, Thomas Mortagne wrote:
Hi devs,
I'm finishing the generic script macro (based on jsr 223) and the
groovy macro based on it.
It's working pretty well but I have a last issue: what do we do
about security ?
I can't commit as it is because, like the "old" groovy macros, you can
do almost everything so we have to protected the script macros from
"simple" users.
Now how do we do that ?
1) The quicker is to use the programming right with some bridge like
the old groovy macro but it would be better to get rid of this special
right in the new architecture.
2) we could also use the JAVA security policy to run the scripts in a
"sandbox" but I think it means that the XWiki platform called by a
scripts is also running in the same limited sandbox (?).
3) groovy has it's own support of JAVA security policy (see
http://groovy.codehaus.org/Security) which give us the best control on
it but it means it's only groovy
2) and 3) means also for us to define the exhaustive list of allowed
or forbidden JVM api.
I'm -1 for 1), I'm not sure for the details of 2) and I would prefer
to be as generic as possible so i don't like 3) very much.
I did not looked deeply on 2) and 3) yet, it's just a first mail to
know if someone already played with theses concepts in JAVA.
So WDYT ? Any other ideas ?
--
Thomas Mortagne