3:19 a.m.
Hello, everyone,
Greetings!
I want to use Drools6.0 in my project,but I found a security issue. The Drools6.0
automatically import the java.lang.* packages.
As we all know, thess packages including some package such as Process class,which can
damage the application's security.
So, I want know how to prohibit some package from executing in rule configure
file(including drl,decistion tablea) or program code.
Thank you everyone .
With my best wishes!
Sincerely yours, philip
6:41 a.m.
New subject: Drools6.0 Security Issues
An automatic import of java.lang.* isn't a Drools feature - it is a Java
feature, and, ultimately, RHS code needs to be passed to a Java compiler.
Moreover, even when Java itself would not automatically import
java.lang.Process,
using the full-blown class name in the code still gives you access to
that class.
-W
On 27/12/2013, 18922445710 <18922445710(a)189.cn> wrote:
Hello, everyone,
Greetings!
I want to use Drools6.0 in my project,but I found a security issue. The
Drools6.0 automatically import the java.lang.* packages.
As we all know, thess packages including some package such as Process
class,which can damage the application's security.
So, I want know how to prohibit some package from executing in rule
configure file(including drl,decistion tablea) or program code.
Thank you everyone .
With my best wishes!
Sincerely yours, philip
7:24 a.m.
New subject: Drools6.0 Security Issues
Thank you for your reply.
If existing some package or class on the rule 's RHS ,How to filter them
,and forbid execute this rule.
--
View this message in context:
http://drools.46999.n3.nabble.com/rules-users-Drools6-0-Security-Issues-t...
Sent from the Drools: User forum mailing list archive at Nabble.com.
1:50 p.m.
New subject: Drools6.0 Security Issues
You might want to look into the topic of the Java platform's security manager,
which provides features for running untrusted SW. This list may not be the
best place to ask about details w.r.t. this topic.
The idea of inspecting DRL source code to detect the (malicious) usage of
some class or other is, most certainly, not a good idea.
-W
On 27/12/2013, philip <18922445710(a)189.cn> wrote:
Thank you for your reply.
If existing some package or class on the rule 's RHS ,How to filter
them
,and forbid execute this rule.
--
View this message in context:
http://drools.46999.n3.nabble.com/rules-users-Drools6-0-Security-Issues-t...
Sent from the Drools: User forum mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
3991
days inactive
3991
days old
3 comments
3 participants
participants (3)
-
18922445710 -
philip
-
Wolfgang Laun