Jasper Report Security Sandbox

Question

Jasper Report Security Sandbox

I am writing a Java web application that I would like to allow users to run basic reports in PDF format. I usually used Jasper Reports for this. However, this time I would like users to be able to edit their own reports in iReport and upload them. Which should be fairly straightforward.

It made me think, Jasper allows you to efficiently write code in reports that run when a report is created. Is it possible to write a report that has full access to the Java API and therefore to my web application. I do not want users to be able to kill tomcat or even worse use the DAO api that I created to read other users' data.

Does anyone know if this is really possible, and if so, then somehow you can do it. Maybe I can filter out the XML reports before it runs some of them?

Is it also known that the same applies to other open source reporting tools such as BIRT?

+3

security jasper-reports reporting sandbox

Charlie m May 23 '12 at 8:33

source share

2 answers

- [1], PDF , i-,

, API- Java Security Engine, .

, , Heroku -, Linux Containers (LXC) [2], " " lxc.

" ", , "", .

[1] http://reports.simpleservic.es/landing [2] http://en.wikipedia.org/wiki/LXC

+2

Lucas D'Avila 08 . '13 15:25

Arno Mittelbach · Accepted Answer · 2013-05-31T16:01:23+0000

Take a look at the java-sandbox [1] that we use in our Reporterver BI server [2]. I am currently preparing a blog post that will explain how to run jasperreports in an isolated environment.

As for Birt, it’s the same. Here, the user cannot directly write java code, but they can use Rhino, which ultimately has the same effect.

[1] http://blog.datenwerke.net/p/the-java-sandbox.html [2] http://reportserver.datenwerke.net

Jasper Report Security Sandbox

More articles: