freemarker.core
Class OptInTemplateClassResolver
java.lang.Object
freemarker.core.OptInTemplateClassResolver
- All Implemented Interfaces:
- TemplateClassResolver
public class OptInTemplateClassResolver
- extends java.lang.Object
- implements TemplateClassResolver
A TemplateClassResolver
that resolves only the classes whose name
was specified in the constructor.
Constructor Summary |
OptInTemplateClassResolver(java.util.Set allowedClasses,
java.util.List trustedTemplates)
Creates a new instance. |
Method Summary |
java.lang.Class |
resolve(java.lang.String className,
Environment env,
Template template)
Gets a Class based on the class name. |
protected java.lang.String |
safeGetTemplateName(Template template)
Extract the template name from the template object which will be matched
against the trusted template names and pattern. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
OptInTemplateClassResolver
public OptInTemplateClassResolver(java.util.Set allowedClasses,
java.util.List trustedTemplates)
- Creates a new instance.
- Parameters:
allowedClasses
- the Set
of String
-s that contains
the full-qualified names of the allowed classes.
Can be null
(means not class is allowed).trustedTemplates
- the List
of String
-s that contains
template names (i.e., template root directory relative paths)
and prefix patterns (like "include/*"
) of templates
for which TemplateClassResolver.SAFER_RESOLVER
will be
used (which is not as safe as OptInTemplateClassResolver
).
The list items need not start with "/"
(if they are, it
will be removed). List items ending with "*"
are treated
as prefixes (i.e. "foo*"
matches "foobar"
,
"foo/bar/baaz"
, "foowhatever/bar/baaz"
,
etc.). The "*"
has no special meaning anywhere else.
The matched template name is the name (template root directory
relative path) of the template that directly (lexically) contains the
operation (like ?new
) that wants to get the class. Thus,
if a trusted template includes a non-trusted template, the
allowedClasses
restriction will apply in the included
template.
This parameter can be null
(means no trusted templates).
resolve
public java.lang.Class resolve(java.lang.String className,
Environment env,
Template template)
throws TemplateException
- Description copied from interface:
TemplateClassResolver
- Gets a
Class
based on the class name.
- Specified by:
resolve
in interface TemplateClassResolver
- Parameters:
className
- the full-qualified class nameenv
- the environment in which the template executestemplate
- the template where the operation that require the
class resolution resides in. This is null
if the
call doesn't come from a template.
- Throws:
TemplateException
- if the class can't be found or shouldn't be
accessed from a template for security reasons.
safeGetTemplateName
protected java.lang.String safeGetTemplateName(Template template)
- Extract the template name from the template object which will be matched
against the trusted template names and pattern.