0

Java as scripting language can use both Beanshell and Groovy for JSR223 scripting (with minor restrictions/changes)

Java based (template engine) projects as Velocity have JSR223 support

Velocity can be integrated into the Java Scripting Language Framework (as defined by the JSR-223 API).

Freemarker suggest it in its contributors page

  • javax.script (JSR-223) support

But when is it better to execute java based code through scripting? when it's better then executing it as a regular java code?

Ori Marko
  • 56,308
  • 23
  • 131
  • 233
  • Beside the obvious answer (when the code/logic isn't known until runtime), there are many cases where the program has to take code from the user (who can be a developer too): you may need to write your own DSL, evaluate user-defined functions & formulas. Sometimes these things make more sense as inline scripts rather than pre-compiled java code to be brought along and deployed in your application's lib directory before a restart. – ernest_k Jun 20 '19 at 05:38
  • @ernest_k it's interesting, I didn't encounter such integration with third party, or you refer to an in-house integration – Ori Marko Jun 20 '19 at 05:55
  • I have encountered all of these use-cases in work I had to do: implement a javascript-based cli tool backed by a java library, allow users to input excel-like formulas (in groovy) and evaluate them in a data pipeline. But I should agree that most advanced use cases are quite low-level (like, e.g., groovy in jenkins pipelines, which may or may not be using that jsr) – ernest_k Jun 20 '19 at 05:59
  • @ernest_k The Jenkins Groovy support is *most definitely not* using the JSR. It rewrites the Groovy code so that it can checkpoint the results after every statement and execute parts of it in different containers. As someone who's comfortable with Groovy and has written AST transformations, the stuff still makes my head hurt. – chrylis -cautiouslyoptimistic- Jun 20 '19 at 06:09

1 Answers1

0

I found a security usage where you can execute script with limited access/sandbox using ScriptEngineManager(java.lang.ClassLoader)

Q:

I don't want any script to have access to any of my classes.

A:

There is a constructor for ScriptEngineManager that takes a classloader. The classloader is used to load the scripting engine implementation. As classes inherit their classloaders, the scripting engine and any objects it creates should also use that classloader.

That classloader needs to deny the existence of any classes that are not white-listed.

Community
  • 1
  • 1
Ori Marko
  • 56,308
  • 23
  • 131
  • 233