Permissions for eval code [jjs with support for Security Manager?]

A. Sundararajan sundararajan.athijegannathan at
Mon Feb 10 00:36:50 PST 2014

No. There is no plan to use Java caller's ( the code evaluating the 
script) code source for scripts. The current fix is to make sure 
evaluated script gets permissions given to all code.  (A CodeSource with 
null URL is used - which results in such permissions being given to 
scripts). There is already support for script URL based security. i.e., 
if you use "load" function with a URL, the script loaded from URL gets 
security permissions given for that URL (in your security policy). And 
no - no signing of scripts supported.


On Saturday 08 February 2014 03:07 PM, Bernd Eckenfels wrote:
> Am Fri, 07 Feb 2014 18:19:44 +0530
> schrieb "A. Sundararajan" <sundararajan.athijegannathan at>:
>> Hi,
>> Sorry I forgot to address the following issue. Filed a bug:
>> It is bug that "eval" code does not get the default permissions.
>> Thanks for reporting.
>> -Sundar
> Thanks Sundar for reporting this. I wonder if it is defined what
> codebase a evaluated piece of Java code should have (besides the
> general permission settings). Is there anything planned or existing? If
> I understand the patch correctly there is no specific code source which
> can matched by policy (and no support for signing scripts).
> Greetings
> Bernd

More information about the nashorn-dev mailing list