Against external attacks, Drools supports knowledge base signing and checking using standard asymmetric keys infrastructure. Regarding the web application,  I will let one of the guvnor guys to talk about. Against internal attacks, i.e., someone deliberately adding a malicious rule into the application, the only way is through company policies and processes that ensure a workflow for rule approval. Drools offers audit logs (runtime) and standard versioning history (in guvnor, authoring time) to track changes.

   Edson


On Wed, Nov 9, 2011 at 11:42 AM, kapokfly <ivan.jiang.ww@foxmail.com> wrote:
Not sure if anyone can share their experiences what kind of test cases on
Drools security should be developed and ensured?

As the rule is just a piece of codes in String format which can be hooked
into JVM, we can assume that might open some holes and necessary security
test cases need to be designed against.

Anyone can share their experiences on this?

Thanks...

--
View this message in context: http://drools.46999.n3.nabble.com/Security-test-cases-for-Drools-tp3494072p3494072.html
Sent from the Drools: User forum mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users



--
  Edson Tirelli
  JBoss Drools Core Development
  JBoss by Red Hat @ www.jboss.com