How do I share values between scripted policies in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on sharing values between scripted policies in AM. The only variable you can share between privileges/policies is the environment variable.

Background information

The only variable you can share between privileges/policies is the environment variable as explained here.

The ScriptCondition class sets the following objects, which makes them accessible to scripts:

scriptVariables.put("logger", PolicyConstants.DEBUG); scriptVariables.put("username", SubjectUtils.getPrincipalId(subject)); scriptVariables.put("resourceURI", resourceName); scriptVariables.put("environment", environment); scriptVariables.put("advice", advice); scriptVariables.put("responseAttributes", responseAttributes); scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage())); scriptVariables.put("authorized", Boolean.FALSE); scriptVariables.put("ttl", Long.MAX_VALUE); // If a token is present include the corresponding identity and session objects. scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken))); scriptVariables.put("session", new ScriptedSession(ssoToken));

As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).

Example

The following example demonstrates two policies sharing the environment variable:

Set up your policies: TestPolicy01 : http://agent.example.com:38080/helloworld/index*.html All of ... Authentication by Module Chain=ldapService Script=TestPolicyCondition01 TestPolicy02 : http://*.example.com:38080/helloworld/index.html All of ... Script=TestPolicyCondition02
Create a simple script: if (!environment) { logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request."); authorized = false; } var test = environment.get("test"); if (test == null) { logger.warning("No test specified in the evaluation request environment parameters."); environment.put("test", "testvalue1"); } else { logger.message("TestPolicyCondition01:: test=" + test); } authorized = true;
Use a curl command such as the following to evaluate both policies: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{ "resources": [ "http://agent.example.com:38080/helloworld/index.html" ], "application": "iPlanetAMWebAgentService", "subject": { "ssoToken": "AQIC...*"} }' http://host1.example.com:8080/openam/json/realms/root/policies?_action=evaluate
Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] WARNING: No test specified in the evaluation request environment parameters. <--- printed from TestPolicy02 Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" } : Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01

Note

This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.

Related Training

N/A

Related Issue Tracker IDs

N/A

Background information

Example

Note

See Also

Related Training

Related Issue Tracker IDs