How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes?

Overview

Identity Cloud has an allowlist that controls which Java classes can be used in access management scripts. This includes scripts such as the OIDC claims script or a script used by the Scripted Decision node.

The allowlist is maintained by ForgeRock to ensure added Java classes do not introduce security vulnerabilities or cause other impacts, and are supported.

If required, you can request class(es) are added to the allowlist by raising a ticket on Backstage. Use the Identity Cloud: Config Request ticket type and select Add classes to scripting allowlist.

You should review the following information before requesting classes are added to the allowlist:

• View existing allowlist
• Guidelines for acceptable classes
• Preferred alternative classes you should use in your scripts
• Unacceptable classes

Viewing existing allowlist

You can view the allowlist for a particular script type to check which classes have already been included using REST.

Use the following REST call:$ curl 'https://<tenant-env-fqdn>/am/json/global-config/services/scripting/contexts/<script-type>/engineConfiguration' \ --header 'authorization: Bearer <access-token>'

Where:

• <tenant-env-fqdn> is your Identity Cloud tenant name.
• <script-type> is one of the following types depending on what script you are working on:
  • authentication_tree_decision_node
  • oauth2_access_token_modification
  • oauth2_may_act
  • oauth2_validate_scope
  • oidc_claims
  • policy_condition
  • social_idp_profile_transformation
• <access-token> is the access token you obtained when you authenticated to the Identity Cloud REST API. See Authenticate to Identity Cloud REST API with access token for further information.

Example response, where the whitelist field shows all the classes currently on the allowlist:{"_id":"engineConfiguration","_rev":"-733065873","propertyNamePrefix":"esv.","serverTimeout":0,"useSecurityManager":true,"maxThreads":50,"coreThreads":10,"whiteList":["com.google.common.collect.ImmutableList","..."],"idleTimeout":60,"queueSize":10,"blackList":["java.lang.Class","..."],"_type":{"_id":"engineConfiguration","name":"Scripting engine configuration","collection":false}}

Guidelines for acceptable classes

Classes will be considered for addition if they:

• Provide some utility function that is not easily accomplished directly in JavaScript® without pulling in external libraries.
• Provide functionality that is not already exposed by another class on the allowlist. Review Preferred alternative classes for examples.
• Are requested by a specific class name.
• Have broad appeal (classes that are only useful in limited cases are less likely to be added).

Classes will not be added to the allowlist if they:

• Expose singletons, I/O objects, system secrets, caches and so on.
• Allow indirect reflection by the caller.
• Are not usable without further additions to the allowlist - unless those additions are included in the same request.
• Are wildcard packages. We will only consider adding explicit classes.

Preferred alternative classes

If you require any classes from the Required Class column, you should consider using the Preferred Class instead, which has already been reviewed and included in the allowlist:

Unacceptable classes

The following classes have already been reviewed and deemed unsuitable, so they should not be re-requested:

• java.lang.Class
• java.lang.invoke.*
• java.lang.reflect.*
• java.lang.Thread
• java.security.AccessController

You can view the denylist for a particular script type using the same REST call detailed in the Viewing existing allowlist section and just look for the blackList field instead.

See Also

Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions)