Say I had a game engine that can import plugins to extend the game's code, and add new features. For servers to support the plugin, they need to have a copy and so does the user.
My question is, can downloading a jar from the web be a very easy break of security? I want to make it as easy as GMod, were you join a server and it downloads the mods. Although, those are lua scripts and are locked in a script layer.
I want to lock the jar in a vault where it can only access the game code, and no files except for a persistent save config. The game settings for example will be loaded into java and the file won't, so it can't mess with your settings either. Something like that...
The thought of downloading 5+ jars and running them makes me cringe, but the stuff modders can do with that is remarkable