velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Revusky <>
Subject Re: security audit
Date Wed, 04 Jun 2003 09:45:13 GMT
Serge Knystautas wrote:
> Jonathan Revusky wrote:
>>> Nope, service providers will not deploy velocity if it is not safe!
>> FWIW, it seems like a non-issue to me. A security-conscious ISP would 
>> only let java servlets run in a sandbox and the same security 
>> restrictions that apply to the servlets would apply to the Velocity 
>> (or FreeMarker or any other) templates that the servlet makes use of.
> As an example of a service provider, we have selected velocity as the 
> templating engine because of the ease that it integrates with our Java 
> architecture (mainly over PHP).  I'd rather not get into sandboxing 
> since we are not exposing Java or any true programming capabilities... 
> just some basic templating and scripting.

Well, okay. I have to admit that I was wrong when I assumed that any 
service provider who offered Velocity templates would also be offering 

Still, I would say that if you're really serious about security, the 
java SecurityManager approach really has to be the way to go. There has 
simply been a much heavier effort put into that than will ever be put 
into locking down Velocity, say.

Also, if you define your security policy that way, it will apply not 
just to Velocity templates, but to any other scripting/templating 
technology that you make available -- jython, beanshell, or whatever.

> So I would be interested in being able to lock-down velocity so that 
> authors (our customers) cannot do bad things.

Well, I can't help but point out that this would be a non-issue if you 
were using FreeMarker. You can configure FreeMarker so that it does not 
allow any invocation of methods by reflection. And then that's clearly 
quite secure. And even in that restrictive mode, FreeMarker is quite 
powerful. You can expose a data structure of hashes, lists, and scalars 
and unlike with Velocity, the scalars can be decimal numbers or 
time/date objects with full control over localized display. Truth told, 
even with FM configured to disallow reflective method calls, you can 
probably do pretty much all the things that you would legitimately want 
to do in a template. You just can't invoke arbitrary methods on objects.

Best Regards,

Jonathan Revusky
lead developer, FreeMarker project,
FreeMarker-Velocity comparison page:

FreeMarker 2.3pre2 is out!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message