Preventing Thread creation/start in Java

Question

my question, similar to

why java security manager doesn't forbid neither creating new Thread() nor starting it?

I'm writing a didactic application, where students are allowed to submit java code that perform certain tasks, and interact with each other.

We need to safely load, compile and execute some code.

Using the Java tools we can complete the compilation of the code all in memory; then a custom class loader load the code, and the code is executed in a thread, with a certain time out, and with a custom security manager.

However, is still possible for the students to create Threads in their code, set them in loop and eventually exhaust the System/Tomcat resource.

Is there a way to prevent the creation of threads? the cited answer said:

"""From your perspective, just change the policy."""

What that means in practice?

I tried to override methods checkPermission(Permission) and checkAccess(ThreadGroup) but i'm still unable to intercept Thread creation/start

Answer 1

The accepted answer to the other question you cited is incorrect. In order to prevent code from creating new threads, you need to subclass the standard Java SecurityManager and either override getThreadGroup or checkAccess(ThreadGroup). I've posted an answer to the other question with the details.

Answer 2

It seems like what you'd want to do is create another JVM (e.g. java process), which can then be killed wholesale if things get out of control. Is there any reason that you wouldn't do that?

You could also add a jar of your own to the new JVM's classpath, and use your JAR as the entry point. That way you can set up things like your custom security manager before suspect code runs. You can also run the JVM under an account with restricted permissions to prevent malicious system interaction.