So there seems not good to use groovy at all, as users could have more access than expected, like if I put some groovy scripts they could just change them and do (without restrictions) whatever they want right?
I mean, for updates and patches, the best way is use xdelta3, no need to send scripts that may be tampered with.
now, lua is very well spoken about but has annoying syntax,
and javascript I think could be slow…
PS.: offtopic, reply reference just worked hehe 
very cool bro!
I think I will go with javascript then, I read that article, cool!
I alwas wanted to use javascript but was concerned about speed, now they fixed that (and now I need to move to eclipse fast to use java 8 hehe)
Looks like Groovy and Grails will need to find new funders pretty soon
I read there, his hardened-lua seems to counter/minimize poorly coded user scripting.
also I have a concern against javascript; long ago when I tried it, I think it was not possible to make the script create threads, or run in a thread; may be that was a limitation of the application I was trying to run javascript into… still have to find it out…
I think you can easily run the Javascript in a thread since all you do is call scriptEngine.eval(“js code here”) to interpret it. Just put that in it’s own thread I suppose.
There is a way of creating the Nashorn script engine as well so that Javascript can’t use standard Java classes for security, see http://stackoverflow.com/questions/24466203/how-to-remove-java-apis-from-nashorn-engine for more on that.
You don’t want scripts to create threads. Even for ‘trusted’ scripts, it should all be handled by library functions, rather than spawning thread directly in script using core java access. From library callback implementation, there is no issue with spawning threads if needed.
Unless you are doing some kind of MMO type thing where you want to make user-driven content (MOO mud like) or configurable UI macros (WoW addons like), I would suggest not worrying about making scripting secure. Give more power to users, they can cheat if they try anyway (running game in debug mode on custom jvm etc). Doing secure scripting is considerably harder than freeform one and given our time budgets, it is probably better to cut as much difficulties as possible.
@abies
well… considering they “guess decompiled” obfuscated minecraft and recompiled it, we should really not bother much heh… I just think something is better than nothing, and if my application doesnt get hugely popular, that may not happen to it :> (or :(, now I dont know heh)
@DannyJo it may do the trick thx!