Output creation fails when Enhance configuration accesses the Java API

Problem description:

After updating OL Connect to version 2020.2, output creation fails when using the REST API to run an Enhance configuration that attempts to access the Java API.

The Weaver engine logs messages like:

org.mozilla.javascript.EvaluatorException: Access to Java class "sun.nio.fs.WindowsPath" is prohibited.

or

org.mozilla.javascript.EcmaError: TypeError: Cannot call property get in object [JavaPackage java.nio.file.Paths]. It is not a function, it is "object".

Cause:

To enhance security, JavaScript that is evaluated by the Weaver engine no longer has access to the Java API. This applies to OL Connect versions 2020.2 and up.

The Weaver engine provides a JavaScript API that is capable of nearly everything that is needed. In the few cases where additional functionality is required, this is usually solved by using the REST API to run a custom Enhance configuration. Such configurations sometimes need access to the Java API.

Suggested solution(s):

When access to the Java API in JavaScript is essential, all necessary Java classes should be listed in an allowed file. This includes Java classes that are used in the JavaScript as well as any Java classes that appear as intermediate values. Java classes used directly in the JavaScript are quite easy to identify, but there is no easy way to identify Java classes that appear as intermediate values. The only solution is to run the Enhance configuration repeatedly and examine the logged error messages.

The allowed file

As of version 2020.2, an empty allowed file is included in the Connect installation. This file should be modified to list each Java class that may be used in JavaScript evaluated by the Weaver engine.

The Weaver engine uses this file each time it creates output. So, in every output creation job, the same Java classes are exposed to JavaScript .

Typically the full path of the allowed file is:
C:\Program Files\Objectif Lune\OL Connect\plugins\com.objectiflune.weaver.engine_<version>\runtime\lib\scripting\allowed

Note: Since this file is located in the installation directory, sufficient access rights are needed to be able to edit this file.

Note: An upgrade or reinstallation of Connect wipes out any changes that were made to this file.

Format of the allowed file

  • Every Java class must be specified on a separate line.

  • The same Java class may appear multiple times.

  • Empty lines or lines starting with a # character are ignored.

  • The # character can follow a Java class for adding a comment.

Example:

# comment line
java.io.File
java.io.File# comment immediately after class
java.io.File # space after class followed by comment