What are the alternatives to SecurityManager for sandboxing untrusted code in Java?

Question

I’ve been working on a project that involves dynamically loading and executing third-party code. Obviously, this is inherently risky, and I need a way to sandbox the code and limit its permissions. Java’s SecurityManager has been useful (despite its complexity), but with it being deprecated and eventually removed, I’m left scrambling for alternatives.

Here’s the issue. I need to restrict what this dynamically loaded code can do. For example, it should only be able to access certain directories or communicate with specific IPs or domains. SecurityManager allowed me to enforce these kinds of restrictions at the JVM level. Without it, I’m not sure how to achieve this anymore.

I’ve thought about using Docker or Podman, but those aren’t practical for my needs. Docker is too heavy since it requires a service running in the background, and I need something lightweight that can run on end-user machines without any extra setup. Podman is lighter but doesn’t work across all platforms. My project has to support Linux, Windows, and macOS.

So, here’s what I’m looking for. I need a way to sandbox code in a lightweight and cross-platform manner. Ideally, it would integrate with Java or a similar high-level, compiled language. The solution shouldn’t require root privileges or external dependencies like Docker, and it needs to be secure enough to restrict file system and network access for untrusted code.

If Java is no longer the right tool for this, are there any other languages or technologies that can provide this kind of functionality? I’ve looked into bytecode rewriting and module restrictions, but those approaches seem complicated and don’t address all my needs. I’d love to hear if anyone has dealt with a similar problem or has ideas for how to move forward.