Make Execution in SecureContext configurable

Author: simonholzapfel

repository/src/main/java/org/orderofthebee/addons/support/tools/repo/jsconsole/ExecuteWebscript.java

@@ -118,6 +118,8 @@ public void setDumpService(final DumpService dumpService)
     private String preRollScriptClasspath;
 
     private String postRollScriptClasspath;
+    
+    private boolean secureContext;
 
     /**
      *
@@ -159,7 +161,7 @@ public void execute(final WebScriptRequest request, final WebScriptResponse resp
             // Note: Need to use import here so the user-supplied script may also import scripts
             final String script = "<import resource=\"classpath:" + this.preRollScriptClasspath + "\">\n" + jsreq.script;
 
-            final ScriptContent scriptContent = new StringScriptContent(script + this.postRollScript);
+            final ScriptContent scriptContent = new StringScriptContent(script + this.postRollScript, this.secureContext);
 
             final int providedScriptLength = this.countScriptLines(jsreq.script, false);
             final int resolvedScriptLength = this.countScriptLines(script, true);
@@ -610,15 +612,23 @@ public final void setPostRollScriptClasspath(final String postRollScriptClasspat
     {
         this.postRollScriptClasspath = postRollScriptClasspath;
     }
+    
+    public void setSecureContext(boolean secureContext) 
+    {
+      this.secureContext = secureContext;
+    }
 
     private static class StringScriptContent implements ScriptContent
     {
 
         private final String content;
+                
+        private final boolean secure;
 
-        public StringScriptContent(final String content)
+        public StringScriptContent(final String content, boolean secure)
         {
             this.content = content;
+            this.secure = secure;
         }
 
         @Override
@@ -654,7 +664,7 @@ public boolean isCachable()
         @Override
         public boolean isSecure()
         {
-            return true;
+            return this.secure;
         }
     }
 

repository/src/main/resources/alfresco/module/ootbee-support-tools-repo/alfresco-global.properties

@@ -9,6 +9,9 @@ ootbee-support-tools.propertyBackedBeanPersister.processLegacyJmxKeysOnRemovePro
 # this flag can be overridden to revert to old behaviour
 ootbee-support-tools.js-console.serverInfo.nodeCountsViaSOLR=true
 
+# true if the scripts in the context are considered secure and may access java.* libs directly otherwise false
+ootbee-support-tools.js-console.scriptContext.secure=true
+
 # it would be unexpected if there ever were so many property backed beans that this limit would not suffice
 cache.propertyBackedBeansPersisterSharedCache.tx.maxItems=1000
 cache.propertyBackedBeansPersisterSharedCache.tx.statsEnabled=${caches.tx.statsEnabled}

repository/src/main/resources/alfresco/module/ootbee-support-tools-repo/module-context.xml

@@ -105,6 +105,7 @@
         </property>
         <property name="preRollScriptClasspath" value="alfresco/module/ootbee-${project.artifactId}/scripts/jsconsole-pre-roll-script.js" />
         <property name="postRollScriptClasspath" value="alfresco/module/ootbee-${project.artifactId}/scripts/jsconsole-post-roll-script.js" />
+        <property name="secureContext" value="${ootbee-support-tools.js-console.scriptContext.secure}"/>
     </bean>
 
     <bean id="webscript.org.orderofthebee.support-tools.jsconsole.executionResult.get" class="org.orderofthebee.addons.support.tools.repo.jsconsole.ExecutionResultGet" parent="webscript">