Access to Spring Beans in Script Task

Hi,

I’m using Flowable 6.4.2 and I can access spring beans in script task with Groovy.

But I cannot do so when using javascript for script task. Apparently the bean names are resolved to null values and the following error occurs when I write beanName.call() in my script task:

“org.mozilla.javascript.EcmaError: TypeError: Cannot call method “call” of null”

Thanks in Advance

Which JDK are you using (the org.mozilla seems to be a different package than usual)?

Did you try accessing the variable through e.g. execution.getVariable(‘foo’)?

I’m using OpenJDK 8.

Yes, I can access variables via execution.getVariable(“var1”);

I guess the problem comes from javascript secure scripting. Because this problem doesn’t show up when I disable secure scripting and remove the dependency to flowable-secure-javascript.

But I can’t find out how I can tweak it in order to make the Spring beans accessible.

Hi again,

I spent some time reading the relevant codes. I made a PR regarding this issue here.

I augmented the SecureScriptScope with ProcessEngineConfiguration’s beans.

I would be happy to know any comments about it.

Hey @monick,

I had a brief look at the PR and it looks quite promising. The only thing we need to see is whether we want to be more restrictive here, since exposing all Spring Beans doesn’t sound too secure. You could get ahold of the ApplicationContext and close it, which I assume is something that you don’t want happening.

Hi @filiphr,

Surely I don’t want to expose all the Spring application context.

I think the term “Spring Beans” is a bit misleading.

I actually intend to expose the Beans that are registered via SpringProcessEngineConfiguration#setBeans and are normally accessible in EL expressions as well.

Thanks

I figured as much. The thing is that currently by default the beans in the SpringProcessEngineConfiguration is actually a SpringBeanFactoryProxyMap which wraps the ApplicationContext. I know that you are probably going to configure the beans with different values, but perhaps we need changes to some other place as well (or don’t wrap the application context in the configuration)

1 Like

Thanks @filiphr for your explanation.

I think if we don’t wrap the ApplicationContext in the configuration, that could cause some backward compatibility issues. Because it is supposed to be accessible in the expressions.

So I made some changes here. Where we can configure to expose the beans to the secure script task or not.(which is disabled by default).