[rules-users] Security test cases for Drools
Swindells, Thomas
TSwindells at nds.com
Thu Nov 10 03:48:26 EST 2011
If you are allowing customers to define their own rules then you are effectively allowing them to execute any arbitrary java statements.
You either need to have someone review and check all their rules before they are applied, restrict what they can do to the UI to such a level you are sure they can't compromise it (perhaps DSL might work?), sanatize there input to a whitelist of statements (probably no eval and very limited in what they can put in the then part, or you could go the whole hog and setup a java security sandbox and classloaders to place limits on what operations they can do - though even then you need to design it carefully so they can't modify any of your application state.
Thomas
> -----Original Message-----
> From: rules-users-bounces at lists.jboss.org [mailto:rules-users-
> bounces at lists.jboss.org] On Behalf Of kapokfly
> Sent: 09 November 2011 17:10
> To: rules-users at lists.jboss.org
> Subject: Re: [rules-users] Security test cases for Drools
>
> Thanks Edson.
>
> We are developing a web based UI (if possible embed guvnor into our
> application) and open the ability to customers to define their own rules, so a
> company policy on this won't work.
>
> Will evaluate other concern points and have more discussions on this.
>
> Ivan
>
> --
> View this message in context: http://drools.46999.n3.nabble.com/Security-
> test-cases-for-Drools-tp3494072p3494170.html
> Sent from the Drools: User forum mailing list archive at Nabble.com.
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
**************************************************************************************
This message is confidential and intended only for the addressee. If you have received this message in error, please immediately notify the postmaster at nds.com and delete it from your system as well as any copies. The content of e-mails as well as traffic data may be monitored by NDS for employment and security purposes. To protect the environment please do not print this e-mail unless necessary.
NDS Limited. Registered Office: One London Road, Staines, Middlesex, TW18 4EX, United Kingdom. A company registered in England and Wales. Registered no. 3080780. VAT no. GB 603 8808 40-00
**************************************************************************************
More information about the rules-users
mailing list