0

My JEE app runs under tomee and allows the user to write his/her own scripts and run from a web gui, but I'd like to restrict certain operations such as System.exit(1) for example.

A discussion related to this issue can be found in the beanshell2 forum - check this out - http://code.google.com/p/beanshell2/issues/detail?id=15

Any scriptable language that works from within the JVM is OK, but I need this level of control. My first attempt was using beanshell, but it seems, as we can see from the discussion above, that this is not an option.

I would like to avoid more esoteric languages since the end user is technical, but I can't ask him/her to learn an unknown programming language just to write a script :-) [or maybe I can, if I don't find any useful option for this]

How can I get that? Groovy? Any other JVM-based script language maybe?

2 Answers2

0

I used Rhino a long time ago. It allows run JavaScript into a Java App (or server side). You will probably need to manage security issues manually.

Not sure this is what you are looking for, but it can help: https://developer.mozilla.org/en-US/docs/Rhino

Kloe2378231
  • 1,404
  • 11
  • 12
  • good idea. maybe, this is what I am looking for - https://forums.oracle.com/thread/1538661 - thanks –  Dec 03 '13 at 18:22
0

Groovy has a lot of power in CompilerConfiguration. You can choose the usable imports and a lot of other stuff. Allowed stuff can be whitelisted or blacklisted using SecureASTCustomizer

Will
  • 14,348
  • 1
  • 42
  • 44
  • 1
    I'd also look at the [Groovy Sandbox](http://groovy-sandbox.kohsuke.org/) project (as SecureASTCustomizer can be [a bit leaky](http://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)) – tim_yates Dec 03 '13 at 20:01
  • Groovy Sandbox definitively looks like the best option here, and Kohsuke's default license is MIT, which is better than beanshell (GPL) in my specific case. –  Dec 04 '13 at 00:16