freemarker.core
Class OptInTemplateClassResolver

java.lang.Object
  extended by freemarker.core.OptInTemplateClassResolver
All Implemented Interfaces:
TemplateClassResolver

public class OptInTemplateClassResolver
extends java.lang.Object
implements TemplateClassResolver

A TemplateClassResolver that resolves only the classes whose name was specified in the constructor.


Field Summary
 
Fields inherited from interface freemarker.core.TemplateClassResolver
ALLOWS_NOTHING_RESOLVER, SAFER_RESOLVER, UNRESTRICTED_RESOLVER
 
Constructor Summary
OptInTemplateClassResolver(java.util.Set allowedClasses, java.util.List trustedTemplates)
          Creates a new instance.
 
Method Summary
 java.lang.Class resolve(java.lang.String className, Environment env, Template template)
          Gets a Class based on the class name.
protected  java.lang.String safeGetTemplateName(Template template)
          Extract the template name from the template object which will be matched against the trusted template names and pattern.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

OptInTemplateClassResolver

public OptInTemplateClassResolver(java.util.Set allowedClasses,
                                  java.util.List trustedTemplates)
Creates a new instance.

Parameters:
allowedClasses - the Set of String-s that contains the full-qualified names of the allowed classes. Can be null (means not class is allowed).
trustedTemplates - the List of String-s that contains template names (i.e., template root directory relative paths) and prefix patterns (like "include/*") of templates for which TemplateClassResolver.SAFER_RESOLVER will be used (which is not as safe as OptInTemplateClassResolver). The list items need not start with "/" (if they are, it will be removed). List items ending with "*" are treated as prefixes (i.e. "foo*" matches "foobar", "foo/bar/baaz", "foowhatever/bar/baaz", etc.). The "*" has no special meaning anywhere else. The matched template name is the name (template root directory relative path) of the template that directly (lexically) contains the operation (like ?new) that wants to get the class. Thus, if a trusted template includes a non-trusted template, the allowedClasses restriction will apply in the included template. This parameter can be null (means no trusted templates).
Method Detail

resolve

public java.lang.Class resolve(java.lang.String className,
                               Environment env,
                               Template template)
                        throws TemplateException
Description copied from interface: TemplateClassResolver
Gets a Class based on the class name.

Specified by:
resolve in interface TemplateClassResolver
Parameters:
className - the full-qualified class name
env - the environment in which the template executes
template - the template where the operation that require the class resolution resides in. This is null if the call doesn't come from a template.
Throws:
TemplateException - if the class can't be found or shouldn't be accessed from a template for security reasons.

safeGetTemplateName

protected java.lang.String safeGetTemplateName(Template template)
Extract the template name from the template object which will be matched against the trusted template names and pattern.