I'm working on a server app that may be extended by user-supplied Groovy scripts. It's evident that I want to make sure these scripts run in a very tight sandbox where they cannot disrupt the core application code or consume too much resources to overload the server.
I have studied various possibilities and the final solution may be a combination of these:
Run the script wi开发者_StackOverflowthin a very restricted security manager. The script is run within a no permission SecurityManager. Additional permissions have to be declared (like Android).
Launch a new JVM. Create a ScriptProcess wrapper around Runtime.exec and spawning a new JVM with a security manager, limited heap, etc. Because we launch a full-blown process, we might get more control on monitor bad behaving ones? The cost in resource would be dire though... An alternative would be to use Ant here, but would it be scalable?
Java Monitor API In Java 6 there is a package with monitoring capacity. We could monitor threads and maybe detect infinite loops and memory consumption. Anyone used this?
These are what I have in mind today. What would be the best way to make sure these scripts behave correctly and still keep a certain scalability and performance?
An additional possibility is using Groovy 1.8 compilation customizers on the GroovyShell that runs the embedded scripts. You can pre-import classes and methods, restrict use of the Groovy AST, and pre-apply an AST transformation, such as @ThreadInterrupt, @TimedInterrupt, or @ConditionalInterrupt. Details at:
http://www.jroller.com/melix/entry/customizing_groovy_compilation_process
You should have a look at the project groovy-sandbox from kohsuke. Have also a look to his blog post here on this topic and what is solution is addressing: sandboxing, but performance drawback.
Also have a look at the java-sandbox project and the accompanying blog post http://blog.datenwerke.net/2013/06/sandboxing-groovy-with-java-sandbox.html.
精彩评论