[rules-users] Drools6.0 Security Issues
Wolfgang Laun
wolfgang.laun at gmail.com
Fri Dec 27 07:41:21 EST 2013
An automatic import of java.lang.* isn't a Drools feature - it is a Java
feature, and, ultimately, RHS code needs to be passed to a Java compiler.
Moreover, even when Java itself would not automatically import
java.lang.Process,
using the full-blown class name in the code still gives you access to
that class.
-W
On 27/12/2013, 18922445710 <18922445710 at 189.cn> wrote:
> Hello, everyone,
> Greetings!
>
> I want to use Drools6.0 in my project,but I found a security issue. The
> Drools6.0 automatically import the java.lang.* packages.
> As we all know, thess packages including some package such as Process
> class,which can damage the application's security.
> So, I want know how to prohibit some package from executing in rule
> configure file(including drl,decistion tablea) or program code.
> Thank you everyone .
>
> With my best wishes!
>
> Sincerely yours, philip
More information about the rules-users
mailing list