I am working on a project where I will let users submit small 'scripts' to the server, and I will execute those scripts. There are many scripting languages which can be embedded into a Java program, such as mvel, ognl, uel, clojure, rhino javascript, etc., but, as far as I can tell, they all allow script writer to call Java constructors, static methods, etc. I don't want my users to be able to call anything which I don't provide them (usually through some sort of context object). Most of their scripts will be arithmetic and logical expressions, in some cases they will need to traverse object properties (getters/setters) or contents of a Map. I just don't want them to escape the sandbox I provide them. Any suggestions?
Looks like Java's JSP language (UEL) can do it. In order to access Java's static methods, they have to be aliased in an xml file--and I don't think non-static methods can be accessed. I can't confirm this since I can't get glassfish's UEL to work yet.