AM 7.3.1

Security

AM scripting engines provide security features for ensuring that malicious Java classes are not directly called. The engines validate scripts by checking all directly-called Java classes against a configurable denylist and allowlist, and, optionally, against the JVM SecurityManager, if it is configured.

Allowlists and denylists contain class names that are allowed or denied execution respectively. Specify classes in allowlists and denylists by name or by using regular expressions.

Classes called by the script are checked against the allowlist first, and must match at least one pattern in the list. The denylist is applied after the allowlist, and classes matching any pattern are disallowed.

You can also configure the scripting engine to make an additional call to the JVM security manager for each class that is accessed. The security manager throws an exception if a class being called is not allowed to execute.

For more information on configuring script engine security, see Scripting.

Important Points About Script Engine Security

The following points should be considered when configuring the security settings within each script engine:

The scripting engine only validates directly accessible classes.

The security settings only apply to classes that the script directly accesses. If the script calls Foo.a() and then that method calls Bar.b(), the scripting engine will be unable to prevent it. You must consider the whole chain of accessible classes.

Access includes actions such as:

  • Importing or loading a class.

  • Accessing any instance of that class. For example, passed as a parameter to the script.

  • Calling a static method on that class.

  • Calling a method on an instance of that class.

  • Accessing a method or field that returns an instance of that class.
Potentially dangerous Java classes are denylisted by default.

All Java reflection classes (java.lang.Class, java.lang.reflect.*) are denylisted by default to avoid bypassing the security settings.

The java.security.AccessController class is also blacklisted by default to prevent access to the doPrivileged() methods.

You should not remove potentially dangerous Java classes from the Denylist.
The allowlists and denylists match class or package names only.

The allowlist and denylist patterns apply only to the exact class or package names involved. The script engine does not know anything about inheritance, so it is best to allowlist known, specific classes.

Copyright © 2010-2024 ForgeRock, all rights reserved.