topic Re: How do I secure ScriptTask's javax.script? in Alfresco Archive

How do I secure ScriptTask's javax.script?

jmseo2 — Tue, 04 Aug 2015 19:42:43 GMT

I am currently working on a project which exposes the BPM workflow definition to our users as a configurable value. The users may define any valid BPM XML, register it against our service, and execute it within our application.One problem we ran into is the usage of ScriptTask. The scripts are expos

Re: How do I secure ScriptTask's javax.script?

vasile_dirla — Tue, 04 Aug 2015 21:30:18 GMT

Hi,
try google-ing for "sandboxing rhino".
I didn't try it yet, but this should help solving the problem.

Re: How do I secure ScriptTask's javax.script?

jmseo2 — Tue, 04 Aug 2015 21:46:51 GMT

Hi Vasile. Thanks for the response.
My question was more geared towards Activiti's usage of the ScriptManager instance, which is not exposed from the process engine for me to configure.
Btw, I believe starting jdk8 javax.script does not use rhino. (I need to confirm this bit later since I am not on the PC right now)

Re: How do I secure ScriptTask's javax.script?

vasile_dirla — Tue, 04 Aug 2015 22:28:59 GMT

just had a look into the source code:
into the ScriptTaskActivityBehavior class:
in the execute method is the point of execution of the scripts:
<code>
Object result = scriptingEngines.evaluate(script, language, execution, storeScriptVariables);
</code>
I think that setting a custom security manager which will filter the packages and after the script execution to set it back to null will solve the problem for any script type executed with the ScriptTask.
<code>
public class PkgsSecurityManager extends SecurityManager {

   @Override
   public void checkPackageAccess(String pkg) {
// if the pkg should be restricted throw the exception like that:
     throw new SecurityException();
   }
}
</code>

( This should be tested it's just my opinion but didn't test it yet.)

Re: How do I secure ScriptTask's javax.script?

jmseo2 — Thu, 06 Aug 2015 15:24:41 GMT

Several problems with this approach:
- We do not know when the script task is about to be executed. (Is there a programmatic hook provided in Activiti for us to put our custom security manager?)
- Are you suggesting we set a temporary system-wide security manager through System.setSecurityManager()? Wouldn't that apply the custom permissions to other threads in the same JVM? Or possibly even other asnyc tasks occurring within Activiti at the time?

If there are no way to customize the ScriptTaskActivityBehavior.execute(), is it reasonable for this to be a feature request?

Re: How do I secure ScriptTask's javax.script?

vasile_dirla — Thu, 06 Aug 2015 19:21:59 GMT

I don't know if there is any hook around that execution,
I was thinking you could modify the ScriptTaskActivityBehavior.java ("execute" method)

Re: How do I secure ScriptTask's javax.script?

vasile_dirla — Thu, 06 Aug 2015 21:59:32 GMT

i think you could use this: http://activiti.org/userguide/index.html#_hooking_into_process_parsing
this way you could inject some custom script around the user's script.