Graeme,

> Whether is an enterprise application or a web application the
> security rules to avoid injection attacks are the same.

Technically you are right.
Psychologically everyone feels paranoic about the words "script"
and "web" immediately, but one can easily feel on the safe side when
"only" providing configuration support by implementing "only" a DSL in
embedded script languages, accessible "only" by the internal employees
(well, perhaps the thousand of them ...).

For this kind of warm safety feeling you only need to create a 1k
application
showing a wall icon in the systray ;-) .
(PS: Perhaps with a feature to randomly change this icon by one where
the
wall is crossed out, to create some FUD here and there *hehehe*).

> The most important rule is essentially don't EVER accept code as
> input from the user unless it can be sandbox or is secured in
> a way it can only be authored by administrators

This is easy for an external DSL, where you really know and have access
to your AST. Not so easy for complex scripting support, I suppose.

BTW: Ruby has this 'tainted' feature, I remember ... would anything
like
that be possible/useful/necessary for Groovy?

KR
Det


***********************************************************************

Die Information in dieser email ist vertraulich und ist ausschliesslich
fuer den/die benannten Adressaten bestimmt. Ein Zugriff auf diese
email durch andere Personen als den/die benannten Adressaten ist
nicht gestattet. Sollten Sie nicht der benannte Adressat sein, loeschen
Sie bitte diese email.

***********************************************************************

BITMARCK Software GmbH
Paul-Klinger-Strasse 15, 45127 Essen

Amtsgericht Essen HRB 20680
Geschaeftsfuehrer: Frank Krause, Andreas Prenneis


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

  http://xircles.codehaus.org/manage_email