How can I allow a final user to run scripts in a JEE environment under specific security constraints?

Question

My JEE app runs under tomee and allows the user to write his/her own scripts and run from a web gui, but I'd like to restrict certain operations such as System.exit(1) for example.

A discussion related to this issue can be found in the beanshell2 forum - check this out - http://code.google.com/p/beanshell2/issues/detail?id=15

Any scriptable language that works from within the JVM is OK, but I need this level of control. My first attempt was using beanshell, but it seems, as we can see from the discussion above, that this is not an option.

I would like to avoid more esoteric languages since the end user is technical, but I can't ask him/her to learn an unknown programming language just to write a script :-) [or maybe I can, if I don't find any useful option for this]

How can I get that? Groovy? Any other JVM-based script language maybe?

Answer 1

Groovy has a lot of power in CompilerConfiguration. You can choose the usable imports and a lot of other stuff. Allowed stuff can be whitelisted or blacklisted using SecureASTCustomizer

Answer 2

I used Rhino a long time ago. It allows run JavaScript into a Java App (or server side). You will probably need to manage security issues manually.

Not sure this is what you are looking for, but it can help: https://developer.mozilla.org/en-US/docs/Rhino