public class WhitelistMemberAccessPolicy extends MemberSelectorListMemberAccessPolicy
BeansWrapperand its subclasses doesn't discover all members on the first place, and the
MemberAccessPolicyjust removes from that set of members, never adds to it.
The whitelist content is usually application specific, and can be significant work to put together, but it's the only way you can achieve any practical safety when you don't fully trust the users who can edit templates.
Of course, this only can deal with the
ObjectWrapper aspect of safety; please check the Manual to see what
else is needed. Also, since this is related to security, read the documentation of
know about the pitfalls and edge cases related to
MemberAccessPolicy-es in general.
|Constructor and Description|
|Modifier and Type||Method and Description|
If this returns
public WhitelistMemberAccessPolicy(java.util.Collection<? extends MemberSelectorListMemberAccessPolicy.MemberSelector> memberSelectors)
memberSelectors- List of member selectors; see
MemberSelectorListMemberAccessPolicyclass-level documentation for more.
public boolean isToStringAlwaysExposed()
true, we won't invoke the probably more expensive lookup to figure out if
Object.toString()(including its overridden variants) is exposed for a given object. If this returns
false, then no such optimization is made. This method was introduced as
Object.toString()is called frequently, as it's used whenever an object is converted to string, like printed to the output, and it's not even a reflection-based call (we just call
Object.toString()in Java). So we try to avoid the overhead of a more generic method call.