How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes?
The purpose of this article is to provide information on getting Java® classes added to the allowlist in ForgeRock Identity Cloud for scripting purposes. This allowlist is for access management scripts in Identity Cloud, which includes scripts such as the OIDC claims script or a script used by the Scripted Decision node
1 reader recommends this article
Overview
Identity Cloud has an allowlist that controls which Java classes can be used in access management scripts. This includes scripts such as the OIDC claims script or a script used by the Scripted Decision node.
The allowlist is maintained by ForgeRock to ensure added Java classes do not introduce security vulnerabilities or cause other impacts, and are supported.
If required, you can request class(es) are added to the allowlist by raising a ticket on Backstage. Use the Identity Cloud: Config Request ticket type and select Add classes to scripting allowlist.
Note
All requests are reviewed by ForgeRock to ensure they are suitable and do not pose a security risk.
You should review the information in this article before requesting class(es) are added to the allowlist to reduce the chance of your request being denied
You should review the following information before requesting classes are added to the allowlist:
- View existing allowlist
- Guidelines for acceptable classes
- Preferred alternative classes you should use in your scripts
- Unacceptable classes
Viewing existing allowlist
You can view the allowlist for a particular script type to check which classes have already been included using REST.
Use the following REST call:$ curl 'https://<tenant-env-fqdn>/am/json/global-config/services/scripting/contexts/<script-type>/engineConfiguration' \ --header 'authorization: Bearer <access-token>'
Where:
-
<tenant-env-fqdn>
is your Identity Cloud tenant name. -
<script-type>
is one of the following types depending on what script you are working on:- authentication_tree_decision_node
- oauth2_access_token_modification
- oauth2_may_act
- oauth2_validate_scope
- oidc_claims
- policy_condition
- social_idp_profile_transformation
-
<access-token>
is the access token you obtained when you authenticated to the Identity Cloud REST API. See Authenticate to Identity Cloud REST API with access token for further information.
Example response, where the whitelist
field shows all the classes currently on the allowlist:{"_id":"engineConfiguration","_rev":"-733065873","propertyNamePrefix":"esv.","serverTimeout":0,"useSecurityManager":true,"maxThreads":50,"coreThreads":10,"whiteList":["com.google.common.collect.ImmutableList","..."],"idleTimeout":60,"queueSize":10,"blackList":["java.lang.Class","..."],"_type":{"_id":"engineConfiguration","name":"Scripting engine configuration","collection":false}}
Guidelines for acceptable classes
Classes will be considered for addition if they:
- Provide some utility function that is not easily accomplished directly in JavaScript® without pulling in external libraries.
- Provide functionality that is not already exposed by another class on the allowlist. Review Preferred alternative classes for examples.
- Are requested by a specific class name.
- Have broad appeal (classes that are only useful in limited cases are less likely to be added).
Classes will not be added to the allowlist if they:
- Expose singletons, I/O objects, system secrets, caches and so on.
- Allow indirect reflection by the caller.
- Are not usable without further additions to the allowlist - unless those additions are included in the same request.
- Are wildcard packages. We will only consider adding explicit classes.
Preferred alternative classes
If you require any classes from the Required Class column, you should consider using the Preferred Class instead, which has already been reviewed and included in the allowlist:
Required Class | Preferred Class |
---|---|
java.security.SecureRandom | org.forgerock.openam.shared.security.ThreadLocalSecureRandom |
java.util.Base64 | org.forgerock.util.encode.Base64 |
java.util.Base64$Decoder | org.forgerock.util.encode.Base64 |
java.util.Base64$Encoder | org.forgerock.util.encode.Base64 |
Unacceptable classes
- java.lang.Class
- java.lang.invoke.*
- java.lang.reflect.*
- java.lang.Thread
- java.security.AccessController
You can view the denylist for a particular script type using the same REST call detailed in the Viewing existing allowlist section and just look for the blackList
field instead.