Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

Access to Java class is prohibited error with scripts running in Identity Cloud and AM (All versions)

Last updated Jan 24, 2023

The purpose of this article is to provide assistance if you encounter a "java.lang.SecurityException: Access to Java class "class.name" is prohibited" error when using functionality that is based on a script in ForgeRock Identity Cloud or AM. This issue might occur when validating or processing a script such as an OIDC claims script, a script used by the Scripted Decision node or a policy condition script.

1 reader recommends this article

Symptoms

You will see an error similar to the following in your Identity Cloud debug logs when executing the script:

"payload": {    "context":"default",     "exception":"java.util.concurrent.ExecutionException: javax.script.ScriptException:      javax.script.ScriptException: java.lang.SecurityException: Access to Java class \"<class.name>\" is prohibited.\n     \tat java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)\n     \tat java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)\n     \tat org.forgerock.openam.scripting.ThreadPoolScriptEvaluator.evaluateScript(ThreadPoolScriptEvaluator.java:89)\n     \tat org.forgerock.openam.scripting.application.ScriptEvaluationHelper.evaluateScript(ScriptEvaluationHelper.java:48)\n     \tat org.forgerock.oauth2.core.plugins.scripted.ScriptedUserInfoClaimsPlugin.getUserInfoClaims(ScriptedUserInfoClaimsPlugin.java:207)\n     \tat org.forgerock.oauth2.core.plugins.scripted.ScriptedUserInfoClaimsPlugin.getUserInfo(ScriptedUserInfoClaimsPlugin.java:158)\n     \tat org.forgerock.oauth2.core.RealmOAuth2ProviderSettings.getUserInfo(RealmOAuth2ProviderSettings.java:584)\n     \tat     ...

You will see errors similar to the following in your AM debug logs when executing the script:

Caused by: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class \"<class.name>\" is prohibited. Caused by: java.lang.SecurityException: Access to Java class "<class.name>" is prohibited.

Recent Changes

Created or updated a script.

Added a Scripted Decision node to an authentication journey or tree.

Causes

The specified Java® class is not in the allowlist, which means it cannot be invoked by the script.

Solution

This issue can be resolved as follows depending on whether you are using Identity Cloud or AM:

Identity Cloud

  1. Review How do I get Java classes added to the allowlist in Identity Cloud for scripting purposes? for guidance around adding Java classes to the allowlist.
  2. Raise a ticket via Backstage to request the missing Java class is added to the Java class allowlist. Use the Identity Cloud: Config Request ticket type and select Add classes to scripting allowlist.

AM

Add the specified Java class to the allowlist using either the AM admin UI or ssoadm:

  • AM admin UI

Navigate to: Configure > Global Services > Scripting > Secondary Configurations > [Script Type] > Secondary Configurations > EngineConfiguration and add the missing Java class to the Java class whitelist field.

  • ssoadm:
  1. Run the following command to create a data file (called DATA_FILE to match the next command), which is populated with the current whiteList property values to ensure you don't lose any existing changes: $ ./ssoadm get-sub-cfg -s ScriptingService -g [scriptType] -u [adminID] -f [passwordfile] | grep whiteList > DATA_FILEreplacing [scriptType], [adminID] and [passwordfile] with appropriate values, where [scriptType] must equal one of the following depending on your script type:
Script Type -g value
Client-side Authentication AUTHENTICATION_CLIENT_SIDE/engineConfiguration
Server-side Authentication AUTHENTICATION_SERVER_SIDE/engineConfiguration
Authentication journeys/trees (scripts used by Scripted Decision nodes) AUTHENTICATION_TREE_DECISION_NODE/engineConfiguration
Policy Condition POLICY_CONDITION/engineConfiguration
OIDC Claims OIDC_CLAIMS/engineConfiguration
OAuth 2.0 Access Tokens OAUTH2_ACCESS_TOKEN_MODIFICATION/engineConfiguration
  1. Update the data file you just created by adding the required whiteList values at the end in the same format as the rest of the file (whiteList=java.class).
  2. Run the following command to update the whiteList property values: $ ./ssoadm set-sub-cfg -s ScriptingService -g [scriptType] -u [adminID] -f [passwordfile] -o add -D DATA_FILEreplacing [scriptType], [adminID] and [passwordfile] with appropriate values, where [scriptType] must match the value you used in step 1.
  • ssoadm example

If you encounter an "Access to Java class "groovy.json.internal.LazyMap" is prohibited" error message when validating a policy using a policy condition script, you can resolve it as follows:

  1. Retrieve the current whiteList settings for the Policy Condition script type and save them to a file using the following ssoadm command:
    • AM 7 and later: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=orgadmin -f pwd.txt | grep whiteList > allowlist.txt
    • AM 6.x: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt | grep whiteList > allowlist.txt
  2. Verify that the whiteList attributes have been saved to the file, for example: $ cat allowlist.txtExample Response: whiteList=java.lang.Float whiteList=java.util.HashMap$KeyIterator whiteList=com.sun.identity.shared.debug.Debug whiteList=java.lang.Double whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient ...
  3. Add the missing Java class to the text file, for example: $ echo whiteList=groovy.json.internal.LazyMap >> allowlist.txt
  4. Verify that the new whiteList attribute has been added to this file, for example: $ cat allowlist.txtExample Response: whiteList=java.lang.Float whiteList=java.util.HashMap$KeyIterator whiteList=com.sun.identity.shared.debug.Debug whiteList=java.lang.Double whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient ... whiteList=groovy.json.internal.LazyMap
  5. Update the whiteList property values with the ones in the file using the following ssoadm command:
    • AM 7 and later: $ ./ssoadm set-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt -o set -D allowlist.txt
    • AM 6.x: $ ./ssoadm set-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt -o set -D allowlist.txt
  6. Check the whiteList settings (including the new Java class) have been applied successfully using the following ssoadm command:
    • AM 7 and later: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u uid=amAdmin,ou=People,dc=am,dc=forgerock,dc=org -f pwd.txt
    • AM 6.x: $ ./ssoadm get-sub-cfg -s ScriptingService -g POLICY_CONDITION/engineConfiguration -u amadmin -f pwd.txt

Example Response:queueSize=10 i18nKey=engine-configuration  useSecurityManager=true  idleTimeout=60  blackList=java.lang.Class  blackList=java.security.AccessController  blackList=java.lang.reflect.*  coreThreads=10  whiteList=java.lang.Float whiteList=java.util.HashMap$KeyIterator whiteList=com.sun.identity.shared.debug.Debug whiteList=java.lang.Double whiteList=org.forgerock.openam.scripting.api.http.JavaScriptHttpClient ... whiteList=groovy.json.internal.LazyMap maxThreads=50  serverTimeout=0  Sub Configuration ScriptingService was retrieved.

See Also

How do I create a policy condition script in AM (All versions)?

How do I add logging to server-side scripts in AM 6.x?

How do I create a script in AM (All versions) using Amster?

Scripting

Scripting environment

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.