AnsweredAssumed Answered

How do I secure ScriptTask's javax.script?

Question asked by jmseo2 on Aug 4, 2015
Latest reply on Aug 6, 2015 by vasile.dirla
I am currently working on a project which exposes the BPM workflow definition to our users as a configurable value. The users may define any valid BPM XML, register it against our service, and execute it within our application.

One problem we ran into is the usage of ScriptTask. The scripts are exposing all the classes, file IO, network, etc to our users, which opens up a huge security hole since the workflows are client configurable. We'd like to restrict that somehow.
Example:

<scriptTask scriptFormat="js" id="myscript">
   <script>
      java.lang.System.exit(0);
   </script>
</scriptTask>


I just killed the application JVM…

Has anyone already solved this problem in Activiti before? I know there are some things you can do with SecurityManager, but I am not sure how this can be applied in Activiti.

Many thanks in advance.

Outcomes