How To
ForgeRock Identity Cloud

How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes?

Last updated Feb 14, 2023

The purpose of this article is to provide information on getting Java® classes added to the allowlist in ForgeRock Identity Cloud for scripting purposes. This allowlist is for access management scripts in Identity Cloud, which includes scripts such as the OIDC claims script or a script used by the Scripted Decision node


1 reader recommends this article

Overview

Identity Cloud has an allowlist that controls which Java classes can be used in access management scripts. This includes scripts such as the OIDC claims script or a script used by the Scripted Decision node.

The allowlist is maintained by ForgeRock to ensure added Java classes do not introduce security vulnerabilities or cause other impacts, and are supported.

If required, you can request class(es) are added to the allowlist by raising a ticket on Backstage. Use the Identity Cloud: Config Request ticket type and select Add classes to scripting allowlist.

Note

All requests are reviewed by ForgeRock to ensure they are suitable and do not pose a security risk. 

You should review the information in this article before requesting class(es) are added to the allowlist to reduce the chance of your request being denied

You should review the following information before requesting classes are added to the allowlist:

Viewing existing allowlist

You can view the allowlist for a particular script type to check which classes have already been included using REST.

Use the following REST call:$ curl 'https://<tenant-env-fqdn>/am/json/global-config/services/scripting/contexts/<script-type>/engineConfiguration' \ --header 'authorization: Bearer <access-token>'

Where:

  • <tenant-env-fqdn> is your Identity Cloud tenant name.
  • <script-type> is one of the following types depending on what script you are working on:
    • authentication_tree_decision_node
    • oauth2_access_token_modification
    • oauth2_may_act
    • oauth2_validate_scope
    • oidc_claims
    • policy_condition
    • social_idp_profile_transformation
  • <access-token> is the access token you obtained when you authenticated to the Identity Cloud REST API. See Authenticate to Identity Cloud REST API with access token for further information.

Example response, where the whitelist field shows all the classes currently on the allowlist:{"_id":"engineConfiguration","_rev":"-733065873","propertyNamePrefix":"esv.","serverTimeout":0,"useSecurityManager":true,"maxThreads":50,"coreThreads":10,"whiteList":["com.google.common.collect.ImmutableList","..."],"idleTimeout":60,"queueSize":10,"blackList":["java.lang.Class","..."],"_type":{"_id":"engineConfiguration","name":"Scripting engine configuration","collection":false}}

Guidelines for acceptable classes

Classes will be considered for addition if they:

  • Provide some utility function that is not easily accomplished directly in JavaScript® without pulling in external libraries.
  • Provide functionality that is not already exposed by another class on the allowlist. Review Preferred alternative classes for examples.
  • Are requested by a specific class name.
  • Have broad appeal (classes that are only useful in limited cases are less likely to be added).

Classes will not be added to the allowlist if they:

  • Expose singletons, I/O objects, system secrets, caches and so on.
  • Allow indirect reflection by the caller.
  • Are not usable without further additions to the allowlist - unless those additions are included in the same request.
  • Are wildcard packages. We will only consider adding explicit classes.

Preferred alternative classes

If you require any classes from the Required Class column, you should consider using the Preferred Class instead, which has already been reviewed and included in the allowlist:

Required Class Preferred Class
java.security.SecureRandom org.forgerock.openam.shared.security.ThreadLocalSecureRandom
java.util.Base64 org.forgerock.util.encode.Base64
java.util.Base64$Decoder org.forgerock.util.encode.Base64
java.util.Base64$Encoder org.forgerock.util.encode.Base64

Unacceptable classes

The following classes have already been reviewed and deemed unsuitable, so they should not be re-requested:

  • java.lang.Class
  • java.lang.invoke.*
  • java.lang.reflect.*
  • java.lang.Thread
  • java.security.AccessController

You can view the denylist for a particular script type using the same REST call detailed in the Viewing existing allowlist section and just look for the blackList field instead.

See Also

Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.