How To
ForgeRock Identity Cloud

How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes?

Last updated Jun 16, 2022

The purpose of this article is to provide information on getting Java® classes added to the allowlist in ForgeRock Identity Cloud for scripting purposes. This includes scripts such as the OIDC claims script or a script used by the Scripted Decision node.


Overview

Identity Cloud has an allowlist that controls which Java classes can be used in scripts. This includes scripts such as the OIDC claims script or a script used by the Scripted Decision node.

The allowlist is maintained by ForgeRock to ensure added Java classes do not introduce security vulnerabilities or cause other impacts, and are supported.

If required, you can request class(es) are added to the allowlist by raising a ticket on Backstage

Note

All requests are reviewed by ForgeRock to ensure they are suitable and do not pose a security risk. 

You should review the information in this article before requesting class(es) are added to the allowlist to reduce the chance of your request being denied

You should review the following information before requesting classes are added to the allowlist:

View existing allowlist

You can view the allowlist for a particular script type to check which classes have already been included using REST.

Use the following REST call:$ curl 'https://<tenant_name>.forgeblocks.com/am/json/global-config/services/scripting/contexts/<script-type>/engineConfiguration' \ --header '<session-cookie-name>: <session-token>'

Where:

  • <tenant_name> is your Identity Cloud tenant name.
  • <script-type> is one of the following types depending on what script you are working on:
    • authentication_tree_decision_node
    • oauth2_access_token_modification
    • oauth2_may_act
    • oauth2_validate_scope
    • oidc_claims
    • policy_condition
    • social_idp_profile_transformation
  • <session-cookie-name> is the name of your tenant’s session cookie. See Server cookie & API log key for information on finding this.
  • <session-token> is the tenant administrator's session token. See Authenticate to Identity Cloud REST API with session token for further information.

Example response, where the whitelist field shows all the classes currently on the allowlist:{"_id":"engineConfiguration","_rev":"-733065873","propertyNamePrefix":"esv.","serverTimeout":0,"useSecurityManager":true,"maxThreads":50,"coreThreads":10,"whiteList":["com.google.common.collect.ImmutableList","..."],"idleTimeout":60,"queueSize":10,"blackList":["java.lang.Class","..."],"_type":{"_id":"engineConfiguration","name":"Scripting engine configuration","collection":false}}

Guidelines for acceptable classes

Classes will be considered for addition if they:

  • Provide some utility function that is not easily accomplished directly in JavaScript® without pulling in external libraries.
  • Provide functionality that is not already exposed by another class on the allowlist. Review Preferred alternative classes for examples.
  • Are requested by a specific class name.
  • Have broad appeal (classes that are only useful in limited cases are less likely to be added).

Classes will not be added to the allowlist if they:

  • Expose singletons, I/O objects, system secrets, caches and so on.
  • Allow indirect reflection by the caller.
  • Are not usable without further additions to the allowlist - unless those additions are included in the same request.
  • Are wildcard packages. We will only consider adding explicit classes.

Preferred alternative classes

If you require any classes from the Required Class column, you should consider using the Preferred Class instead, which has already been reviewed and included in the allowlist:

Required Class Preferred Class
java.security.SecureRandom org.forgerock.openam.shared.security.ThreadLocalSecureRandom
java.util.Base64 org.forgerock.util.encode.Base64
java.util.Base64$Decoder org.forgerock.util.encode.Base64
java.util.Base64$Encoder org.forgerock.util.encode.Base64

Unacceptable classes

The following classes have already been reviewed and deemed unsuitable, so they should not be re-requested:

  • java.lang.Class
  • java.lang.invoke.*
  • java.lang.reflect.*
  • java.lang.Thread
  • java.security.AccessController

See Also

Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions)


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.