Sandboxing JSR-223

Question

I\'m trying to sandbox JSR-223. Specifically, I don\'t want any script to have access to any of my classes. (I hear Rhino can do that with ClassShutter, but I want to do it

Answer 1

There is a constructor for ScriptEngineManager that takes a classloader. The classloader is used to load the scripting engine implementation. As classes inherit their classloaders, the scripting engine and any objects it creates should also use that classloader.

That classloader needs to deny the existence of any classes that are not white-listed.

Top it off with a custom SecurityManager so you can base access checks on which classloader in use.

Edit: Here's an article I found on Sandboxing Rhino in Java. Most of it should also apply to JSR-223. Sun's implementation is Rhino with modifications, so there may be some differences.