Skip to content

@jimjag jimjag released this Dec 22, 2020

BeanShell 2.1.0

This release formalizes the merge of 2.0b6 with suitable backports from
the development (HEAD) version of BeanShell (3). Also included are
are some ALv2 contributions to the BeanShell2 fork that had not been
folded into BeanShell but are still applicable to this version. For
backwards compatibility purposes, the 2.x branch of BeanShell still
supports a minimum Java version of 1.6.


BeanShell is licensed under the Apache License, version 2.0. See the file LICENSE for details, and the NOTICE file for required attributions.


SHA1 checksums for this release:

b453dcd49b73d1ad13be2b43be542a0a9245cfde  bsh-2.1.0-sources.jar
c18cdc5c9d50de600ef29be94f7b0a698fd58cdd  bsh-2.1.0.jar
ef6b86a126ae192d8639af6f5b3dbe5d4c6d7dde  bsh-2.1.0.pom
e3d4e047dea7794ac953f457650c4d352bf1e54f  bsh-bsf-2.1.0.jar
3b2dc78453dfcef7ab39a8d6c373ca27bbd66a29  bsh-classgen-2.1.0.jar
7353f0b1deb79be4b4f47761a9ab1a18edeeb01e  bsh-classpath-2.1.0.jar
4add5287b65631445fca73cb1e87fbc22fc9fff7  bsh-commands-2.1.0.jar
878e7daf5556efc0e9ca90a66dcf3382bbf7c6a1  bsh-core-2.1.0.jar
7b108f36f36ab9f631aff69f94b1f3e04a9f0b1f  bsh-engine-2.1.0.jar
978e89d4bb22ad64c80d879e1966b4f046adc34d  bsh-reflect-2.1.0.jar
401870e5e102dbc93a824a3bc36ed7495ecb297f  bsh-util-2.1.0.jar
8122bec512b1cc3987817e217c1cd24c85b09b09  bshservlet-wbsh.war
937922d8f162a12ec9fbf89732e8ebdfb355e939  bshservlet.war


d73cf887d96f7f5f2e4f926cc5d60998e6b58abc3361d74e201ce7e6d56666af06dc20fca1be1f982124efac1091e149c62419b469c87a9e2abdd0984481e86f  bsh-2.1.0-sources.jar
f29ec0b382e8648b9f7506cc976ac533d82a941986e0beab3464cd1659334d8f8369c139124591ba45306dc8c0eb7090bd915ece364cdd476dd929fde3da2c34  bsh-2.1.0.jar
52f4d03510691259ee13799726ee18b31255dbfdef1b46ff3b82e7fc065021d0b391772804b201380366c2cbd23392f6ec1ba50d9d5cf15c9becaae331fba1c6  bsh-2.1.0.pom
5ec81ef5ae8de2912286d729000b68f49b1ab663368d7e88bbb7c2fa5b7b7232172a35986ca40ae48a5e3c9306c754520b7a9dcbe316e4f06c35a760c05d9769  bsh-bsf-2.1.0.jar
8da1d943fb1468dcc10b025ca71b69d1293543769425c0739ef19369461abf06678bedc74f28c72e924532048852bc34ef192282a83fd92c4fa53b2dd73f21eb  bsh-classgen-2.1.0.jar
ec148ab1964bfd855865832e7627d1baf7b3f60dc6b4ab0127ba223bd7182dd40d614fb5c0407f030e6709b716113c525dc8ff53d5bb53190065ec38bc1d81e9  bsh-classpath-2.1.0.jar
a72e0eecc1774ebd8267251974ff2c63c34aeb0d090387edf0d7e45a3c6b3fee5194a752d367a00600eb8a2a653ef59b7df639f790cf5b84591d71cdfe7fb257  bsh-commands-2.1.0.jar
9d195f84f7c16ed0606031b2a3e29f8e71a10d550612cf74306947410aeaf7be178638924ede6023f0646fc64f5479354c2b6baa8c9590b78897deec34e29274  bsh-core-2.1.0.jar
fc93d7d3290749fb4cb84186681d1d5701b8f3e32d24cca9fd0ef5a1ada707d8896ff894078ab09efdcdd4952c2640d3743775fa3c0e402282df641b6dba4d36  bsh-engine-2.1.0.jar
4593852542b3bdd5e219f15ea92eaa987d6b0d01bf46b79a28732d49849e926125c7747a2c15adafbb504bd2d93bd69c7182a802a8aaa5c25794b6a7c0e8a265  bsh-reflect-2.1.0.jar
ab143d260ea63e7d721c703710e1c17228d7853bc6e16af8df31abfdac407d01569e3e76b28267f2f87c2f1f8c78b65d2770323bc3763532dff12584b06bfa55  bsh-util-2.1.0.jar
a4ddd16383bd3b1c88f1091ae63004e7a2d008211a9e5f1e356a4eeaedde907dd62d67e75b23af20d6d420cea334ae6c1230d4212daab8f72a142172342f44bc  bshservlet-wbsh.war
ad153821b7f57493b9b5b08248d9b5c2ab718c76d571fbb40456ff599e9b55deafd9ceb78c0883c04132307b713962d30cbd62495d3628fe13195b1792adf7d4  bshservlet.war

User interface

To execute the Beanshell user interface, either double-click the JAR file, or run it with:

java -jar bsh-2.1.0.jar 

You will need Java 6 or later installed. Note that there is a bug (#4) which may cause a hang, preventing the user interface from running with Java 8.

Assets 17
Jan 13, 2019
2.0b4 Release. May 27, 2005.
Jan 13, 2019
Announcement - BeanShell 2.0b1

After several months of intense work I am pleased to announce the first
release of BeanShell 2.0.  With version 2.0 BeanShell becomes a fully
compatible scripting language.  BeanShell is now capable of interpreting
ordinary Java source and loading .java source files from the class path.
Although this code is still in beta I have been able to execute almost
all of
the 165 example programs from my book (Learning Java, O'Reilly &
without modification as well as BeanShell's own file.
The additional code to make this possible adds only about 30K to the
of the package and the core minimal language distribution without class
remains less than 150K.

BeanShell scripted classes are fully typed and appear to outside Java
code and
via reflective inspection as ordinary classes.  However their
implementation is
fully dynamic and they may include arbitrary BeanShell scripts in their
methods, and constructors.  Users may now freely mix loose, unstructured
BeanShell scripts, method closures, and full scripted classes.
scripted classes are "bound" in the script namespace in which they are
and so can freely refer to other scripted items such as scripted
commands, and "global" variables of the script. e.g.

    // MyScript.bsh
    count = 5;

    class HelloWorld extends Thread {
        public void run() {
           for(i=0; i<count; i++)
              print("Hello World!");

    new HelloWorld().start();

All methods and constructors of the scripted classes delegate to the
interpreter at runtime and all typed variables appear as true class
Loosely typed variables and methods may still be used inside the class
but are
strictly private to the class body.

Previous limitations on the implementation of anonymous inner classes
have also
been lifted, allowing BeanShell to extend arbitrary Java classes and
abstract base classes.

BeanShell 2.0 also brings with it two new language features:

JDK 1.5 style static class imports.  You can import the static methods
fields of a java Class into a BeanShell namespace. e.g.

    static import java.lang.Math.*;

Instance object imports (mix-ins) with the importObject() command.  You
import the methods and fields of a Java object instance into a BeanShell
namespace.  e.g.

    Map map = new HashMap();
    importObject( map );
    put("foo", "bar");
    print( get("foo") ); // "bar"
Jan 13, 2019


Changes from 0.96 to 1.0
Not necessarily in order of importance

    Added generalized support for scripts implementing interfaces (e.g.
arbitrary event listeners). This uses the important new JDK1.3
reflection proxy mechanism to manufacture a proxy interface at run time.
No code generation is necessary!
        Added support to the cast operation to use the new mechanism.
        Added support for automatic conversion to interface on method
selection. e.g. if you attempt to pass a bsh scripted object as a method
argument where the method signature calls for an interface an automatic
cast to the appropriate interface type will be attempted.
        Added a magic method invoke(method,args) which can be used to
handle method invocations on undefined interface methods in bsh objects.
This takes the place of "dummy" adapters; allowing a script to ignore
one or more methods of an interface that it is implementing. Note: one
special case - direct invocations within scope (e.g. command
invocations) are not currently sent to invoke.
    Added startup file (.rc file) support. Bsh will source the file
"user.home"/.bshrc upon startup. This defaults to C:\Windows under win98
and $HOME under Unix. (can the home be set with an env var under Win?
"home" doesn't seem to do it).
    Added arguments to file invocation on command line. e.g.

     java bsh.Interpreter MyClass foo bar

    Args are accessible through the root bsh object: String [] bsh.args
    Enhancements to JConsole submitted by Daniel Leuck; Added color and
image support, fixed several bugs.
    Added support for inner classes. This should all work as expected,
but it's new so let me know if you find weirdness.
        Added support for inner classes to import statement.
    Changed the way eval()/source() handle script errors. Instead of
returning the error object as a value it is now wrapped up with some
context and rethrown as an EvalError. So you can simply catch the error
with a normal try/catch block if you want to. Previously errors in
sourced/eval'd files were being squelched. This was bad. Note:
exceptions generated by the script or through code called by the script
are thrown as TargetErrors (a subclass of EvalError) which can also be
caught and examined.
    Improved error reporting in many areas. Fixed really annoying error
reporting bug that squelched target error info in sourced files (and
    Improved bsh cast operation so that it throws standard
ClassCastException for invalid cast. You can now guard against them with
the ordinary try/catch in a bsh script.
    Modified the command line portion of the grammar to accept arbitrary
expressions. e.g. you can type ``5*2;'' or ``foo instanceof Foo;'' on
the command line now without any enclosing parens. (Of course you won't
see anything unless you're using the show() option).
    Removed the old AWT version of the GUI console. If you need it you
can get it on the web site separately. I may reconsider this.
    Removed the console() command which was primarily for the old AWT
    Modified the browseClass() command to take an object instead of a
string class name. Now you can simple say browseClass( someObject ) and
pop up the class browser to the correct place. Special hack: If the
specified object is a Class it will use the class. This will all
probably be replaced by a general browse() method for the upcoming
object inspector.
    Changed the return type of the frame() command to allow it to return
an internal frame when desktop is active. Frame will now do the correct
thing whether the desktop is up or not.
    Rebuilt the distribution with JavaCC / JJTree version 1.1. Haven't
notice any difference yet.
    Fixed the 'for' scoping bug - See docs on for scoping for
clarification. Previously variables declared within the for-init section
were leaking out into the outer namespace.
    Fixed a bug in which tokenizer errors would cause the interpreter to
hang or exit. They are now handled like other parsing errors. In the
future we may want to break them out so that they can be handled
separately from EvalError.
    Added missing += form of string concatenation.
    Incorporated a patch and test suite case from Roger Bolsius that
corrects some of the package / hidden reflected class access. Previously
the code did not handle the more difficult cases.
    Incorporated a patch from Mike Woolley which works around JDK bug
4071281 (EOF problem) under Windows JDK v1.1.
    Fixed most of the bugs in server mode. Run the server pair (httpd /
sessiond) using the server( port ) command. Then you can telnet to
port+1 or attach your web browser to port. Note that the web browser
must support swing to run the remote JConsole. We could supply the
AWTConsole back for compatability with old browsers... but I'd like to
move on.
    Internal trivia - changed the prefix of the names of all of the
parser node classes from AST to BSH.
    Fixed a bug which caused ClassCastException during (ironically) a
bsh cast operation.
    Improved the test harness slightly and added a number of new files
to the test suite for all of the new features. Please send more test
cases for the test suite!
    Internal change: Simplified the code that determines array base
    Fixed bug where special characters on input (e.g. control charcters
^D) would cause the tokenizer to loop on errors. Non printable chars are
now skipped as white space.
    Added the missing do-while statement
    Internal: Tightened up the code a bit by combining the BSH node
conditional evaluation into one place.
    Fixed some race conditions in the JConsole. Fixed multi-writer
console problems.
    Fixed order of evaluation bugs: classes now always first, then bsh
vars. Note: this may not always be desireable. e.g. if you have a class
named "x" in your path (violating the common naming conventions) then
you can't use a variable of name 'x' in your scripts. Conversely though,
it prevents one from doing "Integer = 5;" and shadowing the
java.lang.Integer class with a variable name. Any thoughts on this?
    Corrected handling of the bsh root object.
    Added a menu item to console to redirect stdin/stdout/stderr. If you
close the console they are restored to the original,out,err.

@stain stain released this Feb 5, 2016

BeanShell 2.0b6 is a security update that is functionally equivalent to the previous version 2.0b5.

No other functionality has changed since 2.0b5, but this is a recommended update for all BeanShell users, as it fixes a remote code execution vulnerability.

Security fix (CVE-2016-2510)

This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix!

An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security, XStream security and How to secure deserialization from untrusted input without using encryption or sealing.

A MITRE CVE number has been reserved: CVE-2016-2510


BeanShell is licensed under the Apache License, version 2.0. See the file LICENSE for details, and the NOTICE file for required attributions.


SHA1 checksums for this release:

fb418f9b33a0b951e9a2978b4b6ee93b2707e72f  bsh-2.0b6.jar
275c867ca3aabc509d0a58ddf0bbd184bdcd38c8  bsh-bsf-2.0b6.jar
4b06123a1ef1bd4902a0f98e726d031e464a624f  bsh-classgen-2.0b6.jar
43f16d2f87254bf1c070f59be3bf87eeaf586f5b  bsh-classpath-2.0b6.jar
89e20b12ef604103a4b8b7854ece29659ea34103  bsh-commands-2.0b6.jar
67504d1544d29e17fa3e81b08fe045296264f48f  bsh-core-2.0b6.jar
aaae80a54fe32c7c5cb616b5d577890fb8d9cbe6  bsh-engine-2.0b6.jar
b7586bb3a7e2adfe1b6090625a886da8bd252369  bsh-reflect-2.0b6.jar
ede153857e4438b092c69db93c9c07cd4071cf1d  bsh-util-2.0b6.jar
ef6b86a126ae192d8639af6f5b3dbe5d4c6d7dde  bsh-2.0b6.pom


a39321a99a8a619a48b65752f6ee6b8f11d3b28ebb051082ec70a70a0d5041e83d144378df191929e3d6562bd5ee4c4f1ccadb0ba42055529d18800a41d8ae18  bsh-2.0b6.jar
fbbff46b0248fa668e32cf42214e7e66d4fe2ad6bc29834a769e933c855461dc5fa8ff34a0c7f8551d1fd216f9321949fdf98a7e5f0ea31237201dcfdb8bc4a4  bsh-bsf-2.0b6.jar
670fdf60ea81d6ed82aea235b9bb34b699ba8bcf24bdff84de7b8428759aecbac21685057688808fe5c88bddcd6a11269a3c4208ea3b518957f9abfe876530f2  bsh-classgen-2.0b6.jar
d7eeeab6287c4473ec8ea6bdef7c5fe4b688e6065f04b6921335ffed6e85a05a4ac82846fbfec55714c33e28cbe488e610f7eb7eb4629843f597af00b0375380  bsh-classpath-2.0b6.jar
59ac6b109aa38c68094e720f6c44bc0b286d06085cfcdc67fda093dc2afdce286689d618c3010a312b428d57941255e2607dd097f718d848c6249c3c79c7b774  bsh-commands-2.0b6.jar
cba855e8dacc2322d25dc153639afcf3c14dc4428797add76847868c3e73f0accc5ed68f95af4ac2b42084474bdabc4944f79297060c7636154fa07ceff33cc3  bsh-core-2.0b6.jar
a4abf59778dc10230acf89cb0e3b395fedbc3998392ab3278de158f0881c98e08aa48286d0241f897cc1c17fbdd0b656c0f98ee36d1e736a31c5c2106470daf9  bsh-engine-2.0b6.jar
f99ea38314eb5c9834abbc3e7134e4b770b87fee7b4827dd50635907eee0cd3df0e80a526280699848a5f0dcb23bc715818164d466f199b04167aed86e823864  bsh-reflect-2.0b6.jar
d758c743632d659e97d21773d97b0da22906ae29ab10792ec7a7969a0bc532f500caeeb23c1dba786b84c4b8d22946e00dbb500c41d346d85de333564f77d8fc  bsh-util-2.0b6.jar
52f4d03510691259ee13799726ee18b31255dbfdef1b46ff3b82e7fc065021d0b391772804b201380366c2cbd23392f6ec1ba50d9d5cf15c9becaae331fba1c6  bsh-2.0b6.pom

This release is also distributed to Maven Central. Usage:


Alternatively you can use
our BinTray Maven repository or

<!-- just beanshell -->
<!-- or use JCenter -->

User interface

To execute the Beanshell user interface, either double-click the JAR file, or run it with:

java -jar bsh-2.0b6.jar 

You will need Java 5 or later installed. Note that there is a bug (#4) which may cause a hang, preventing the user interface from running with Java 8.

Assets 16
Nov 7, 2014
Fix issue-8: warning: [deprecation] toURL() in File has been deprecated.
Fix warning by prepending toURI(). to occurences of toURL().

git-svn-id: 934af587-6f8e-29cc-0aa7-85b2284b99e2