Solutions

Access to Java class is prohibited error with scripts running in AM (All versions) and OpenAM 13.x

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you encounter a "javax.script.ScriptException: java.lang.SecurityException: Access to Java class "class.name" is prohibited" error when using functionality that is based on a script in AM/OpenAM. This issue might occur when validating or processing a script such as a policy condition script or an OIDC claims script.


1 reader recommends this article

Symptoms

Errors similar to the following are shown when executing your script:

Caused by: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class "groovy.json.internal.LazyMap" is prohibited.
Caused by: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class \”com.sun.identity.idm.IdType\” is prohibited.

Recent Changes

Created or updated a script.

Causes

The specified Java® class has not been added to the whitelist, which means it cannot be invoked by the script.

Solution

This issue can be resolved by adding the specified Java class to the whitelist using either the console or ssoadm:

  • AM / OpenAM 13.5 console: navigate to: Configure > Global Services > Scripting > Secondary Configurations > [Script Type] > Secondary Configurations > EngineConfiguration and add the missing Java class to the Java class whitelist field.
  • OpenAM 13.0 console: navigate to: Configuration > Global > Scripting > Secondary Configuration Instance > [Script Type] > Secondary Configuration Instance > Engine Configuration and add the missing Java class to the Java class whitelist field. 
  • ssoadm:
    1. Run the following command to create a data file (called DATA_FILE to match the next command), which is populated with the current whiteList property values to ensure you don't lose any existing changes:
      $ ./ssoadm get-sub-cfg -s ScriptingService -g [scriptType] -u [adminID] -f [passwordfile] | grep whiteList > DATA_FILE
      
      replacing [scriptType], [adminID] and [passwordfile] with appropriate values, where [scriptType] must equal one of the following depending on your script type:
      Script Type -g value
      Policy Condition POLICY_CONDITION/engineConfiguration
      Server-side Authentication AUTHENTICATION_SERVER_SIDE/engineConfiguration
      OIDC Claims OIDC_CLAIMS/engineConfiguration
    2. Update the data file you just created by adding the required whiteList values at the end in the same format as the rest of the file (whiteList=java.class).
    3. Run the following command to update the whiteList property values:
      $ ./ssoadm set-sub-cfg -s ScriptingService -g [scriptType] -u [adminID] -f [passwordfile] -o add -D DATA_FILE
      replacing [scriptType], [adminID] and [passwordfile] with appropriate values, where [scriptType] must match the value you used in step 1.

Example

If you received the "Access to Java class "groovy.json.internal.LazyMap" is prohibited" error message (shown in the Symptoms) when validating a policy using a policy condition script, you can resolve it as follows:

  1. Retrieve the current whiteList settings for the Policy Condition script type and save them to a file using the following ssoadm command:
    $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt | grep whiteList > whitelist.txt
    
  2. Verify that the whiteList attributes have been saved to the file, for example:
    $ cat whitelist.txt
    
    Example Response:
    whiteList=java.lang.Float
    whiteList=java.util.HashMap$KeyIterator
    whiteList=com.sun.identity.shared.debug.Debug
    whiteList=java.lang.Double
    whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient 
    ...
    
  3. Add the missing Java class to the text file, for example:
    $ echo whiteList=groovy.json.internal.LazyMap >> whitelist.txt
    
  4. Verify that the new whiteList attribute has been added to this file, for example:
    $ cat whitelist.txt
    
    Example Response:
    whiteList=java.lang.Float
    whiteList=java.util.HashMap$KeyIterator
    whiteList=com.sun.identity.shared.debug.Debug
    whiteList=java.lang.Double
    whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient 
    ...
    whiteList=groovy.json.internal.LazyMap
    
  5. Update the whiteList property values with the ones in the file using the following ssoadm command:
    $ ./ssoadm set-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt -o set -D whitelist.txt
    
  6. Check the whiteList settings (including the new Java class) have been applied successfully using the following ssoadm command:
    $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt
    
    Example Response:
    queueSize=10 
    i18nKey=engine-configuration 
    useSecurityManager=true 
    idleTimeout=60 
    blackList=java.lang.Class 
    blackList=java.security.AccessController 
    blackList=java.lang.reflect.* 
    coreThreads=10 
    whiteList=java.lang.Float
    whiteList=java.util.HashMap$KeyIterator
    whiteList=com.sun.identity.shared.debug.Debug
    whiteList=java.lang.Double
    whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient
    ...
    whiteList=groovy.json.internal.LazyMap
    maxThreads=50 
    serverTimeout=0 
    
    Sub Configuration ScriptingService was retrieved.

See Also

How do I create a policy condition script in AM/OpenAM (All versions)?

How do I add logging to server-side scripts in AM (All versions) and OpenAM 13.x?

How do I automate the creation of scripts in AM/OpenAM (All versions)?

Reference › Configuration Reference › Scripting

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...