Sandboxing with javax.script

I'd like to add scripting functionality to an app that runs in a Java EE container. The javax.script API seems ideal, since I can support multiple languages with one API; the catch is, the scripts may be coming from untrusted sources, so I need to restrict what they can do. Basically, here are my requirements:

1. Multiple scripts running at the same time.
2. The scripts do not interact with each other.
3. The scripts have no access to the JVM or the Java application code.
4. The scripts have no access to the underlying platform (file system,开发者_如何学Python etc).
5. The scripts have no network access.

If I can allow specific exceptions, that's great, but it's not essential.

Can this be done at all through the Java Scripting API? Can it be done at a lower level by configuring the scripting providers? Is there a better way to accomplish what I want?