use protection domain for JavaScript compiled reports (for gh-12)

JRClassLoader has a ProtectionDomain factory which can be used to control the permissions of Java and Groovy compiled reports. The same factory is now used by JavaScriptClassCompiler, which is the default JavaScript report compiler.
TIBCOSoftware · Dec 13, 2017 · 9616ef8 · 9616ef8
1 parent 984a84a
commit 9616ef8
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 2 deletions.
diff --git a/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptClassLoader.java b/jasperreports/src/net/sf/jasperreports/compilers/JavaScriptClassLoader.java
@@ -25,6 +25,10 @@
 
 import net.sf.jasperreports.compilers.JavaScriptCompiledData.CompiledClass;
 import net.sf.jasperreports.engine.JRRuntimeException;
+import net.sf.jasperreports.engine.util.JRClassLoader;
+import net.sf.jasperreports.engine.util.ProtectionDomainFactory;
+
+import java.security.ProtectionDomain;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -46,6 +50,8 @@ public class JavaScriptClassLoader extends DefiningClassLoader
 	public static final String EXCEPTION_MESSAGE_KEY_INSTANCE_ERROR = "compilers.javascript.instance.error";
 	public static final String EXCEPTION_MESSAGE_KEY_LOAD_ERROR = "compilers.javascript.load.error";
 
+	private volatile ProtectionDomain protectionDomain;
+
 	public JavaScriptClassLoader()
 	{
 		super(Codegen.class.getClassLoader());
@@ -93,7 +99,9 @@ protected synchronized Class<? extends Script> loadExpressionClass(CompiledClass
 
 			try
 			{
-				scriptClass = defineClass(className, compiledClass.getClassBytes());
+				ProtectionDomain domain = getProtectionDomain();
+				byte[] classBytes = compiledClass.getClassBytes();
+				scriptClass = defineClass(className, classBytes, 0, classBytes.length, domain);
 				linkClass(scriptClass);
 			}
 			catch (SecurityException e)
@@ -116,6 +124,24 @@ protected synchronized Class<? extends Script> loadExpressionClass(CompiledClass
 
 		return (Class<? extends Script>) scriptClass;
 	}
+
+	protected ProtectionDomain getProtectionDomain()
+	{
+		ProtectionDomain domain = protectionDomain;
+		if (domain == null)
+		{
+			synchronized (this)
+			{
+				domain = protectionDomain;
+				if (domain == null)
+				{
+					ProtectionDomainFactory protectionDomainFactory = JRClassLoader.getProtectionDomainFactory();
+					domain = protectionDomain = protectionDomainFactory.getProtectionDomain(this);
+				}
+			}
+		}
+		return domain;
+	}
 
 	@Override
 	public String toString()

diff --git a/jasperreports/src/net/sf/jasperreports/engine/util/JRClassLoader.java b/jasperreports/src/net/sf/jasperreports/engine/util/JRClassLoader.java
@@ -38,7 +38,7 @@ public class JRClassLoader extends ClassLoader
 
 	private static ProtectionDomainFactory protectionDomainFactory;
 
-	protected static synchronized ProtectionDomainFactory getProtectionDomainFactory()
+	public static synchronized ProtectionDomainFactory getProtectionDomainFactory()
 	{
 		if (protectionDomainFactory == null)
 		{