Using the nashorn library jdk.nashorn.api.scripting.* one can implement the ClassFilter interface to disable instantiating any class from within a javascript run in Java:
private static class NoJavaFilter implements ClassFilter {
@Override
public boolean exposeToScripts(String s) {
return false;
}
}
This works when you start the engine like so:
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
ScriptEngine nashorn = factory.getScriptEngine(new NoJavaFilter());
But I'm using built-in Java 8 javax.script library:
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("nashorn");
That doesn't have ClassFilter, any thoughts how to implement the equivalent?
UPDATE
This code runs in a Wildfly 14 EJB container. The JsUtils bean is injected in the invoker, that runs the run method sending the script as a parameter.
@Stateless
public class JsUtils {
public String run(String script) throws ScriptException,
NoSuchMethodException {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("nashorn");
Object result = engine.eval(script);
return result.toString();
}
}
Use the jdk.nashorn.api.scripting library, there's no other way