Java classes used in JavaRPC application must be declared in a security element. Classes not defined in a security element are not allowed to be accessed or instantiated. The format of the security element looks like:
<security> <allow> <pattern>CLASS1</pattern> <pattern>CLASS2</pattern> ... <pattern>CLASSN</pattern> </allow> </security>
Each <pattern> is a regular expression.
<security> <allow> <pattern>^org\.openlaszlo</pattern> </allow> </security>
A javarpc object who's class is not declared in a security tag will result in a load error.
<canvas debug="true" height="300">
<debug x="10" y="40" height="240"/>
<security>
<allow>
<pattern>^examples\.ConstructExample</pattern>
</allow>
</security>
<!-- See $LPS_HOME/WEB-INF/classes/examples/ConstructExample.java for java
source. -->
<javarpc name="ce" scope="session" remoteclassname="examples.ConstructExample" createargs="[1]" autoload="false">
<handler name="onerror" args="err">
Debug.debug("onerror: %w", err)
</handler>
<handler name="onload">
Debug.debug("proxy loaded: %w", this.proxy);
</handler>
</javarpc>
<!-- See $LPS_HOME/WEB-INF/classes/examples/TypesExample.java for java
source. This will fail because class is not declared in security
pattern-->
<javarpc name="te" scope="session" remoteclassname="examples.TypesExample" autoload="false">
<handler name="onerror" args="err">
Debug.debug("onerror: %w", err)
</handler>
<handler name="onload">
Debug.debug("proxy loaded: %w", this.proxy);
</handler>
</javarpc>
<view x="10" y="10" layout="axis: x; spacing: 5">
<button text="Load ConstructExample (allowed)" onclick="canvas.ce.load()"/>
<button text="Load TypesExample (not allowed)" onclick="canvas.te.load()"/>
</view>
</canvas>
See Also: