I use Groovy as dynamic script engine to allow admin users of my web application to create little scripts as part of an interface solution, eg. do simple string operations, tokenize and so on.
Unfortunately that opens quite a big loophole because per default the script engine would execute anything.
I described a demo app here: http://javadude.wordpress.com/2011/06/29/creating-a-zk-groovy-console/
Object value = shell.evaluate("whatever groovy script");
You can execute System.exit(0) which shuts down the AS or even shell commands like "ls -l".execute().textor just snoop around system settings println InetAddress.localHost.hostAddress
I could do a string check before executing, like filter for System.xyz or execute.xyz
With groovy 1.8, you can customize the compiler configuration
There's a blog post here which explains more.
You should aso read: