Class SafeConfig

  • Direct Known Subclasses:
    AbstractLockConfig, AlternatorTool, ClassTool, ContextTool, EscapeTool, FieldTool, LinkTool, LocaleConfig, MarkupTool, RenderTool, XmlTool

    public class SafeConfig
    extends java.lang.Object

    Implements common logic and constants for tools which automatically locks down the public void configure(Map params) method after it is called once. This keeps application or session scoped tools thread-safe in templates, which generally have access to the tool after configuration has happened.

    It also provides for a separate "safe mode" setting which tells tools to block any functions that may pose a security threat. This, of course, is set to true by default.

    Once "locked down", the configure(Map) may still be called, however it will do nothing (unless some subclass is foolish enough to override it and not check if isConfigLocked() before changing configurations. The proper method for subclasses to override is configure(ValueParser) which will only be called by configure(Map) when the isConfigLocked() is false (i.e. the first time only).

    Since:
    VelocityTools 2.0
    Author:
    Nathan Bubna
    • Field Summary

      Fields 
      Modifier and Type Field Description
      private boolean configLocked  
      static java.lang.String LOCK_CONFIG_KEY
      The key used for specifying whether or not to prevent templates from reconfiguring this tool.
      static java.lang.String OLD_LOCK_CONFIG_KEY
      Deprecated.
      static java.lang.String SAFE_MODE_KEY
      Many tools interested in locking configure() also have other things they wish to secure.
      private boolean safeMode  
    • Constructor Summary

      Constructors 
      Constructor Description
      SafeConfig()  
    • Field Detail

      • LOCK_CONFIG_KEY

        public static final java.lang.String LOCK_CONFIG_KEY
        The key used for specifying whether or not to prevent templates from reconfiguring this tool. The default is true.
        See Also:
        Constant Field Values
      • OLD_LOCK_CONFIG_KEY

        @Deprecated
        public static final java.lang.String OLD_LOCK_CONFIG_KEY
        Deprecated.
        See Also:
        Constant Field Values
      • SAFE_MODE_KEY

        public static final java.lang.String SAFE_MODE_KEY
        Many tools interested in locking configure() also have other things they wish to secure. This key controls that property. The default value is true, of course.
        See Also:
        Constant Field Values
      • configLocked

        private boolean configLocked
      • safeMode

        private boolean safeMode
    • Constructor Detail

      • SafeConfig

        public SafeConfig()
    • Method Detail

      • setLockConfig

        protected void setLockConfig​(boolean lock)
        Only allow subclass access to this.
      • setSafeMode

        protected void setSafeMode​(boolean safe)
      • isConfigLocked

        public boolean isConfigLocked()
        Returns true if the configure(Map) method has been locked.
      • isSafeMode

        public boolean isSafeMode()
        Returns true if this tool is in "safe mode".
      • configure

        public void configure​(java.util.Map params)
        If isConfigLocked() returns true, then this method does nothing; otherwise, if false, this will create a new ValueParser from the specified Map of params and call configure(ValueParser) with it. Then this will check the parameters itself to find out whether or not the configuration for this tool should be put into safe mode or have its config locked. The safe mode value should be a boolean under the key SAFE_MODE_KEY and the lock value should be a boolean under the key LOCK_CONFIG_KEY.
      • configure

        protected void configure​(ValueParser values)
        Does the actual configuration. This is protected, so subclasses may share the same ValueParser and call configure at any time, while preventing templates from doing so when configure(Map) is locked.