Scripting environment
Identity Cloud supports scripts written in JavaScript.
Access Java classes
Scripts can only import Java classes on the allowlist. Identity Cloud defines an allowlist per script type.
- Legacy scripts
-
-
To view the Java class allowlist, follow the instructions in Viewing existing allowlist.
-
To add a missing Java class to the allowlist, refer to How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes? and Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions).
-
To access Java classes in a script, use the JavaImporter
:
var fr = JavaImporter(
org.forgerock.openam.auth.node.api.Action,
javax.security.auth.callback.NameCallback
);
if (callbacks.isEmpty()) {
action = fr.Action.send(
new fr.NameCallback("Enter Your First Name"),
new fr.NameCallback("Enter Your Last Name")
).build();
} else {
nodeState.putShared("FirstName", callbacks.get(0).getName());
nodeState.putShared("LastName", callbacks.get(1).getName());
action = fr.Action.goTo("true").build();
}
To reduce the need to allowlist Java classes, consider migrating your scripts to use the next-generation scripting engine, which includes enhanced built-in script bindings for accessing many common script operations and the ability to include third-party software with library scripts. |
- Next-generation scripts
-
To enhance security, the next-generation scripting engine for decision node scripts doesn’t support a configurable allowlist for Java classes.
Instead, check if next-generation bindings provide the functionality you need or implement the functionality as a reusable library script.
For example, use the
callbacksBuilder
binding for callback functionality:
if (callbacks.isEmpty()) {
// Request callbacks
callbacksBuilder.nameCallback(
"First Name", "First Name");
callbacksBuilder.nameCallback(
"Last Name", "Last Name");
} else {
// Callbacks returned
var firstName =
callbacks.getNameCallbacks().get(0);
var lastName =
callbacks.getNameCallbacks().get(1);
nodeState.putShared("FirstName", firstName);
nodeState.putShared("LastName", lastName);
action.goTo("true");
}
For information about next-generation bindings and library scripts, refer to:
-
In cases where reimplementation isn’t possible, you can request the functionality to be included as a secure script binding in a future release.
Supported libraries
Identity Cloud uses the Mozilla Rhino JavaScript engine version 1.7.14 to run JavaScript. Rhino has limited support for ES6 / ES2015 (JavaScript version 1.7).
For more information, refer to Rhino ES2015 Support.
Thread pools
The scripting engine defines a thread pool for each script type.
Each script executes in an individual thread. The scripting engine allocates threads until it reaches a maximum of 50 threads per pool. When the scripting engine reaches the maximum number of threads, it queues scripts until a thread becomes available.
When a script has either completed or remained idle for more than 60 seconds, the script engine terminates the thread and makes it available to the pool.