Hi,
I am trying to implement ClassFilter of Nashorn to achieve whiteListing class. Because SecureJavascriptConfigurator uses Rhino Scripting Engine and it converts integer to double by default, we are unable to use SecureJavascriptConfigurator as double value breaks our usecase.
Default flowable script executor(Nashorn I think) does not convert integer to double. So is there any way I can use Nashhorn class filtering to achive whiteListing of classes also.
Flowable doesn’t have a default javascripting engine - this depends on the JDK used. In fact, recent JDKs don’t have any javascript engine and you will have to add the dependency yourself, but also make sure to read e.g. Beware the Nashorn: ClassFilter gotchas – – Random ramblings, exploits and projects.
Hi @joram, We are using SecureJavascriptConfigurator to use whiteListing of java classes in script task. But since SecureJavascriptConfigurator uses rhino engine, rhino engine is converting integer to double.
So I was looking for an alternative of rhino. I saw nashorn is used by flowable bydefault(when not using SecureJavascriptConfigurator) and we don’t face the issue of integer to decimal conversion. But I am not finding ways to configure whitelisting of java classes with nashorn other than ClassFilter. Then your answer came. You can refer here also. execution.setVariable will change integer type to double type · Issue #2485 · flowable/flowable-engine · GitHub.
Please read my previous post: Flowable doesn’t use Nashorn. Flowable uses Nashorn if that’s the scripting engine available for javascript in your JDK. The secure scripting module does have a hard dependency on rhino (because it dates from before the JDK removed the scripting engine).
That’s a question for Nashorn: GitHub - openjdk/nashorn: https://openjdk.org/projects/nashorn, however checking the blog I linked above, implementing a classfilter is not enough, you also need a SecurityManager it seems.
Hi, @joram I’m interested in this question particularly because I’m planning to enable GraalVM polyglot SDK within flowable. I’m interested in knowing if there are any recommendations or HOW-TOs for creating a custom engine.
Thanks
Hey @hberrayana,
As Joram explained earlier. Flowable uses the Java Scripting API. If you expose GraalVM as a Java Scripting engine it should work without any changes. If you want to do something more natively, you’ll have to look into using a custom task.
Cheers,
Filip
Thanks, @filiphr
Actually, I was thinking about more native integration using Graal’s polyglot capabilities. I managed to create a custom task but that was not the best approach.
Hey @hberrayana,
I see what you mean now. You’d like to basically replace the existing ScriptTask to use Graal instead of the Java Scripting engine.
We are doing some experiments in that area and we are going to provide more info on that soon.
Cheers,
Filip