Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions)
The purpose of this article is to provide assistance if you encounter a "java.lang.SecurityException: Access to Java class "class.name" is prohibited" error when using functionality that is based on a script in ForgeRock Identity Cloud or AM. This issue might occur when validating or processing a script such as an OIDC claims script, a script used by the Scripted Decision node or a policy condition script.
1 reader recommends this article
Symptoms
You will see an error similar to the following in your Identity Cloud debug logs when executing the script:
"payload": { "context":"default", "exception":"java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class \"<class.name>\" is prohibited.\n \tat java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)\n \tat java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)\n \tat org.forgerock.openam.scripting.ThreadPoolScriptEvaluator.evaluateScript(ThreadPoolScriptEvaluator.java:89)\n \tat org.forgerock.openam.scripting.application.ScriptEvaluationHelper.evaluateScript(ScriptEvaluationHelper.java:48)\n \tat org.forgerock.oauth2.core.plugins.scripted.ScriptedUserInfoClaimsPlugin.getUserInfoClaims(ScriptedUserInfoClaimsPlugin.java:207)\n \tat org.forgerock.oauth2.core.plugins.scripted.ScriptedUserInfoClaimsPlugin.getUserInfo(ScriptedUserInfoClaimsPlugin.java:158)\n \tat org.forgerock.oauth2.core.RealmOAuth2ProviderSettings.getUserInfo(RealmOAuth2ProviderSettings.java:584)\n \tat ...
You will see errors similar to the following in your AM debug logs when executing the script:
Caused by: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class \"<class.name>\" is prohibited. Caused by: java.lang.SecurityException: Access to Java class "<class.name>" is prohibited.Recent Changes
Created or updated a script.
Added a Scripted Decision node to an authentication journey or tree.
Causes
The specified Java® class is not in the allowlist, which means it cannot be invoked by the script.
Solution
This issue can be resolved as follows depending on whether you are using Identity Cloud or AM:
Identity Cloud
- Review How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes? for guidance around adding Java classes to the allowlist.
- Raise a ticket via Backstage to request the missing Java class is added to the Java class allowlist. Use the Identity Cloud: Config Request ticket type and select Add classes to scripting allowlist.
AM
Add the specified Java class to the allowlist using either the AM admin UI or ssoadm:
- AM admin UI
Navigate to: Configure > Global Services > Scripting > Secondary Configurations > [Script Type] > Secondary Configurations > EngineConfiguration and add the missing Java class to the Java class whitelist field.
- ssoadm:
- Run the following command to create a data file (called DATA_FILE to match the next command), which is populated with the current whiteList property values to ensure you don't lose any existing changes: $ ./ssoadm get-sub-cfg -s ScriptingService -g [scriptType] -u [adminID] -f [passwordfile] | grep whiteList > DATA_FILEreplacing [scriptType], [adminID] and [passwordfile] with appropriate values, where [scriptType] must equal one of the following depending on your script type:
Script Type | -g value |
---|---|
Client-side Authentication | AUTHENTICATION_CLIENT_SIDE/engineConfiguration |
Server-side Authentication | AUTHENTICATION_SERVER_SIDE/engineConfiguration |
Authentication journeys/trees (scripts used by Scripted Decision nodes) | AUTHENTICATION_TREE_DECISION_NODE/engineConfiguration |
Policy Condition | POLICY_CONDITION/engineConfiguration |
OIDC Claims | OIDC_CLAIMS/engineConfiguration |
OAuth 2.0 Access Tokens | OAUTH2_ACCESS_TOKEN_MODIFICATION/engineConfiguration |
- Update the data file you just created by adding the required whiteList values at the end in the same format as the rest of the file (whiteList=java.class).
- Run the following command to update the whiteList property values: $ ./ssoadm set-sub-cfg -s ScriptingService -g [scriptType] -u [adminID] -f [passwordfile] -o add -D DATA_FILEreplacing [scriptType], [adminID] and [passwordfile] with appropriate values, where [scriptType] must match the value you used in step 1.
- ssoadm example
If you encounter an "Access to Java class "groovy.json.internal.LazyMap" is prohibited" error message when validating a policy using a policy condition script, you can resolve it as follows:
- Retrieve the current whiteList settings for the Policy Condition script type and save them to a file using the following ssoadm command:
- AM 7 and later: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=orgadmin -f pwd.txt | grep whiteList > allowlist.txt
- AM 6.x: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt | grep whiteList > allowlist.txt
- Verify that the whiteList attributes have been saved to the file, for example: $ cat allowlist.txtExample Response: whiteList=java.lang.Float whiteList=java.util.HashMap$KeyIterator whiteList=com.sun.identity.shared.debug.Debug whiteList=java.lang.Double whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient ...
- Add the missing Java class to the text file, for example: $ echo whiteList=groovy.json.internal.LazyMap >> allowlist.txt
- Verify that the new whiteList attribute has been added to this file, for example: $ cat allowlist.txtExample Response: whiteList=java.lang.Float whiteList=java.util.HashMap$KeyIterator whiteList=com.sun.identity.shared.debug.Debug whiteList=java.lang.Double whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient ... whiteList=groovy.json.internal.LazyMap
- Update the whiteList property values with the ones in the file using the following ssoadm command:
- AM 7 and later: $ ./ssoadm set-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt -o set -D allowlist.txt
- AM 6.x: $ ./ssoadm set-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt -o set -D allowlist.txt
- Check the whiteList settings (including the new Java class) have been applied successfully using the following ssoadm command:
- AM 7 and later: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt
- AM 6.x: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt
Example Response:queueSize=10 i18nKey=engine-configuration useSecurityManager=true idleTimeout=60 blackList=java.lang.Class blackList=java.security.AccessController blackList=java.lang.reflect.* coreThreads=10 whiteList=java.lang.Float whiteList=java.util.HashMap$KeyIterator whiteList=com.sun.identity.shared.debug.Debug whiteList=java.lang.Double whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient ... whiteList=groovy.json.internal.LazyMap maxThreads=50 serverTimeout=0 Sub Configuration ScriptingService was retrieved.
See Also
How do I create a policy condition script in AM (All versions)?
How do I add logging to server-side scripts in AM 6.x?
How do I create a script in AM (All versions) using Amster?
Related Training
N/A
Related Issue Tracker IDs
N/A