Skip to content

Restricted access to Java classes

The Nashorn script engine allows accessing Java classes from the script code. For security reasons it is best to disable that possibility or restrict Java class access to a subset of Java classes.

Configure access to Java classes

In order to restrict access to certain Java classes/packages set the property SECURITY_CLASSES_ALLOWED_TO_USE.

Note: By default, this property is not set which means no Java classes are accessible. We recommend being strict about the classes you wish to allow due to security concerns.

The following example makes the class java.io.ByteArrayInputStream explicitly accessible and any classes from the java.lang package such as java.lang.String or java.lang.Integer.

SECURITY_CLASSES_ALLOWED_TO_USE=java.io.ByteArrayInputStream, java.lang.*

Classes or packages should be comma separated. Attempting to use only a * is not a valid configuration. You must specify a base level package first and can then use the * such as java.lang.*.