How do I share values between scripted policies in AM/OpenAM (All versions)?
The purpose of this article is to provide information on sharing values between scripted policies in AM/OpenAM. The only variable you can share between privileges/policies is the environment variable.
Background information
The only variable you can share between privileges/policies is the environment variable as explained here.
The ScriptCondition class sets the following objects, which makes them accessible to scripts:
scriptVariables.put("logger", PolicyConstants.DEBUG); scriptVariables.put("username", SubjectUtils.getPrincipalId(subject)); scriptVariables.put("resourceURI", resourceName); scriptVariables.put("environment", environment); scriptVariables.put("advice", advice); scriptVariables.put("responseAttributes", responseAttributes); scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage())); scriptVariables.put("authorized", Boolean.FALSE); scriptVariables.put("ttl", Long.MAX_VALUE); // If a token is present include the corresponding identity and session objects. scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken))); scriptVariables.put("session", new ScriptedSession(ssoToken));As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).
Example
The following example demonstrates two policies sharing the environment variable:
- Set up your policies: TestPolicy01 : http://agent.example.com:38080/helloworld/index*.html All of ... Authentication by Module Chain=ldapService Script=TestPolicyCondition01 TestPolicy02 : http://*.example.com:38080/helloworld/index.html All of ... Script=TestPolicyCondition02
- Create a simple script: if (!environment) { logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request."); authorized = false; } var test = environment.get("test"); if (test == null) { logger.warning("No test specified in the evaluation request environment parameters."); environment.put("test", "testvalue1"); } else { logger.message("TestPolicyCondition01:: test=" + test); } authorized = true;
- Use a curl command such as the following to evaluate both policies; the server URL for the endpoint differs depending on which version you are using. For example:
- AM 5 and later: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{ "resources": [ "http://agent.example.com:38080/helloworld/index.html" ], "application": "iPlanetAMWebAgentService", "subject": { "ssoToken": "AQIC...*"} }' http://host1.example.com:8080/openam/json/realms/root/policies?_action=evaluate
- Pre-AM 5: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -d '{ "resources": [ "http://agent.example.com:38080/helloworld/index.html" ], "application": "iPlanetAMWebAgentService", "subject": { "ssoToken": "AQIC...*"} }' http://host1.example.com:8080/openam/json/policies?_action=evaluate
- Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] WARNING: No test specified in the evaluation request environment parameters. <--- printed from TestPolicy02 Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" } : Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01
Note
This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.
See Also
How do I create a policy condition script in AM/OpenAM (All versions)?
FAQ: Configuring policies in AM/OpenAM
Agents and policies in AM/OpenAM
Authorization Guide › Scripting a Policy Condition
Authorization Guide › Requesting Policy Decisions Using REST
Related Training
N/A
Related Issue Tracker IDs
N/A