Package freemarker.core

Class OptInTemplateClassResolver

java.lang.Object

freemarker.core.OptInTemplateClassResolver

All Implemented Interfaces:

TemplateClassResolver

public class OptInTemplateClassResolver
extends Object
implements TemplateClassResolver

A TemplateClassResolver that resolves only the classes whose name was specified in the constructor.

Field Summary

Fields inherited from interface freemarker.core.TemplateClassResolver

ALLOWS_NOTHING_RESOLVER, SAFER_RESOLVER, UNRESTRICTED_RESOLVER

Constructor Summary

Constructors

Constructor	Description
OptInTemplateClassResolver(Set allowedClasses, List trustedTemplates)	Creates a new instance.

Method Summary

Modifier and Type	Method	Description
Class	resolve(String className, Environment env, Template template)	Gets a Class based on the class name.
protected String	safeGetTemplateName(Template template)	Extract the template name from the template object which will be matched against the trusted template names and pattern.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

OptInTemplateClassResolver

public OptInTemplateClassResolver(Set allowedClasses,
 List trustedTemplates)

Creates a new instance.

Parameters:

allowedClasses - the Set of String-s that contains the full-qualified names of the allowed classes. Can be null (means not class is allowed).

trustedTemplates - the List of String-s that contains template names (i.e., template root directory relative paths) and prefix patterns (like "include/*") of templates for which TemplateClassResolver.SAFER_RESOLVER will be used (which is not as safe as OptInTemplateClassResolver). The list items need not start with "/" (if they are, it will be removed). List items ending with "*" are treated as prefixes (i.e. "foo*" matches "foobar", "foo/bar/baaz", "foowhatever/bar/baaz", etc.). The "*" has no special meaning anywhere else. The matched template name is the name (template root directory relative path) of the template that directly (lexically) contains the operation (like ?new) that wants to get the class. Thus, if a trusted template includes a non-trusted template, the allowedClasses restriction will apply in the included template. This parameter can be null (means no trusted templates).

Method Details

resolve

public Class resolve(String className,
 Environment env,
 Template template)
              throws TemplateException

Description copied from interface: TemplateClassResolver

Gets a Class based on the class name.

Specified by:

resolve in interface TemplateClassResolver

Parameters:

className - the full-qualified class name

env - the environment in which the template executes

template - the template where the operation that require the class resolution resides in. This is null if the call doesn't come from a template.

Throws:

TemplateException - if the class can't be found or shouldn't be accessed from a template for security reasons.

safeGetTemplateName

protected String safeGetTemplateName(Template template)

Extract the template name from the template object which will be matched against the trusted template names and pattern.