Package org.flowable.scripting.secure

Class SecureJavascriptConfigurator

java.lang.Object
org.flowable.engine.cfg.AbstractProcessEngineConfigurator
org.flowable.scripting.secure.SecureJavascriptConfigurator
All Implemented Interfaces:
org.flowable.common.engine.impl.EngineConfigurator
public class SecureJavascriptConfigurator extends AbstractProcessEngineConfigurator
Author:
Joram Barrez

  • Field Details

    • secureScriptContextFactory

      public static SecureScriptContextFactory secureScriptContextFactory

    • secureScriptClassShutter

      public static SecureScriptClassShutter secureScriptClassShutter

    • enableClassWhiteListing

      protected boolean enableClassWhiteListing
      When true, by default all classes will be blacklisted and all classes that want to be used will need to be whitelisted individually.

    • whiteListedClasses

      protected Set<String> whiteListedClasses
      Whitelisted classes for script execution. By default empty (i.e. everything is blacklisted) From the Rhino ClassShutter javadoc: Due to the fact that there is no package reflection in Java, this method will also be called with package names. There is no way for Rhino to tell if "Packages.a.b" is a package name or a class that doesn't exist. What Rhino does is attempt to load each segment of "Packages.a.b.c": It first attempts to load class "a", then attempts to load class "a.b", then finally attempts to load class "a.b.c". On a Rhino installation without any ClassShutter set, and without any of the above classes, the expression "Packages.a.b.c" will result in a [JavaPackage a.b.c] and not an error. With ClassShutter supplied, Rhino will first call visibleToScripts before attempting to look up the class name. If visibleToScripts returns false, the class name lookup is not performed and subsequent Rhino execution assumes the class is not present. So for "java.lang.System.out.println" the lookup of "java.lang.System" is skipped and thus Rhino assumes that "java.lang.System" doesn't exist. So then for "java.lang.System.out", Rhino attempts to load the class "java.lang.System.out" because it assumes that "java.lang.System" is a package name.

    • maxScriptExecutionTime

      protected long maxScriptExecutionTime
      The maximum time (in ms) that a script is allowed to execute before stopping it. By default disabled.

    • maxStackDepth

      protected int maxStackDepth
      Limits the stack depth while calling functions within the script. By default disabled.

    • maxMemoryUsed

      protected long maxMemoryUsed
      Limits the memory used by the script. If the memory limit is reached, an exception will be thrown and the script will be stopped.

    • nrOfInstructionsBeforeStateCheckCallback

      protected int nrOfInstructionsBeforeStateCheckCallback
      The maximum script execution time and memory usage is implemented using a callback that is called every x instructions of the script. Note that these are not script instructions, but java byte code instructions (which means one script line can be thousands of byte code instructions!).

    • scriptOptimizationLevel

      protected int scriptOptimizationLevel
      By default, no script optimization is applied. Change this setting to change the Rhino script optimization level. Note: some simple performance tests seem to indicate that for basic scripts upping this value actually has worse results ... Note: if using a maxStackDepth setting, the script optimization level will always be -1.

    • enableAccessToBeans

      protected boolean enableAccessToBeans
      When true, access to beans in AbstractEngineConfiguration.beans is enabled. By default disabled

  • Constructor Details

    • SecureJavascriptConfigurator

      public SecureJavascriptConfigurator()

  • Method Details

    • beforeInit

      public void beforeInit(org.flowable.common.engine.impl.AbstractEngineConfiguration engineConfiguration)
      Specified by:
      beforeInit in interface org.flowable.common.engine.impl.EngineConfigurator
      Overrides:
      beforeInit in class AbstractProcessEngineConfigurator

    • initSecureScriptContextFactory

      protected void initSecureScriptContextFactory()

    • isEnableClassWhiteListing

      public boolean isEnableClassWhiteListing()

    • setEnableClassWhiteListing

      public SecureJavascriptConfigurator setEnableClassWhiteListing(boolean enableClassWhiteListing)

    • getWhiteListedClasses

      public Set<String> getWhiteListedClasses()

    • setWhiteListedClasses

      public SecureJavascriptConfigurator setWhiteListedClasses(Set<String> whiteListedClasses)

    • addWhiteListedClass

      public SecureJavascriptConfigurator addWhiteListedClass(String whiteListedClass)

    • getMaxScriptExecutionTime

      public long getMaxScriptExecutionTime()

    • setMaxScriptExecutionTime

      public SecureJavascriptConfigurator setMaxScriptExecutionTime(long maxScriptExecutionTime)

    • getNrOfInstructionsBeforeStateCheckCallback

      public int getNrOfInstructionsBeforeStateCheckCallback()

    • setNrOfInstructionsBeforeStateCheckCallback

      public SecureJavascriptConfigurator setNrOfInstructionsBeforeStateCheckCallback(int nrOfInstructionsBeforeStateCheckCallback)

    • getMaxStackDepth

      public int getMaxStackDepth()

    • setMaxStackDepth

      public SecureJavascriptConfigurator setMaxStackDepth(int maxStackDepth)

    • getMaxMemoryUsed

      public long getMaxMemoryUsed()

    • setMaxMemoryUsed

      public SecureJavascriptConfigurator setMaxMemoryUsed(long maxMemoryUsed)

    • getScriptOptimizationLevel

      public int getScriptOptimizationLevel()

    • setScriptOptimizationLevel

      public SecureJavascriptConfigurator setScriptOptimizationLevel(int scriptOptimizationLevel)

    • getSecureScriptContextFactory

      public SecureScriptContextFactory getSecureScriptContextFactory()

    • getSecureScriptClassShutter

      public static SecureScriptClassShutter getSecureScriptClassShutter()

    • setEnableAccessToBeans

      public SecureJavascriptConfigurator setEnableAccessToBeans(boolean enableAccessToBeans)

    • isEnableAccessToBeans

      public boolean isEnableAccessToBeans()