1

For security reasons I'd like to pass to JS functions in Nashorn native Java types.

If I create an engine and I run the following:

        NashornScriptEngineFactory nashornScriptEngineFactory = new      NashornScriptEngineFactory();
        ScriptEngine engine = nashornScriptEngineFactory.getScriptEngine();
        engine.eval(script);
        Invocable invocable = (Invocable) engine;
        JSObject objectWork = (JSObject) engine.get("objectWork");
        objectWork.call(null,"eee");

with script being

function objectWork(arg){
   print ("arg is "+ typeof arg);
   print ("arg.getClass()"+ arg.getClass());

   for (var k in arg){
        print(k);
   }
}

The output is 

arg is string
arg.getClass()class java.lang.String

I'm not so happy about the 2nd and I don't know if getClass is exposing any method of the java.lang.Class object. Is there a way to pass something that wraps the Java String in a native one extending Nashorn own JSObject?

Improve this question
2
  • It is possible to extend JSObject but I'm not sure it's a good idea. This class is under jdk.* packages. Commented Sep 26, 2015 at 13:02
  • I've seen it, but I don't see any obvious way to make it a js string, just a regular object with properties. Furthermore it does not have any is* method for primitive types, like Number String, etc... Commented Sep 26, 2015 at 13:05

2 Answers 2

Reset to default
1

JS String primitive type values are java.lang.String objects. For example,

jjs> "hello".getClass()
class java.lang.String
jjs> "hello".class
class java.lang.String

i.e., there is no separate "JS String" type used in nashorn. Nashorn tries to avoid wrapping Java/JS types as much as possible.

What is the specific issue you're worried about? Reflective access to String via "Class" object? Please note that by default Java reflection is not allowed to scripts if you run under SecurityManager. 

$ jjs -J-Djava.security.manager
jjs> "hello".class
class java.lang.String
jjs> "hello".class.getMethods()
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "nashorn.JavaReflection")
jjs>

So, unless you give "nashorn.JavaReflection" RuntimePermission to a script, it won't be able to do any Java reflection from script. So, getting access to Class object of any Java object won't pose any security thread.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

A trivial, yet working solution. Just have the engine load a piece of JS code like

function strclone(str){
 return new String(str);
}

and then call it from Java everytime. That will result in a JSObject and in a propert JS string that can be passed to JS functions:

JSObject strclone = (JSObject) engine.get("strclone");
JSObject jsString = strclone.call(null,"some Java string");
someOtherJsMethod.call(null, jsString);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.