How do I share values between scripted policies in AM (All versions)?
The purpose of this article is to provide information on sharing values between scripted policies in AM. The only variable you can share between privileges/policies is the environment variable.
Background information
The only variable you can share between privileges/policies is the environment variable as explained here.
The ScriptCondition class sets the following objects, which makes them accessible to scripts:
scriptVariables.put("logger", PolicyConstants.DEBUG); scriptVariables.put("username", SubjectUtils.getPrincipalId(subject)); scriptVariables.put("resourceURI", resourceName); scriptVariables.put("environment", environment); scriptVariables.put("advice", advice); scriptVariables.put("responseAttributes", responseAttributes); scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage())); scriptVariables.put("authorized", Boolean.FALSE); scriptVariables.put("ttl", Long.MAX_VALUE); // If a token is present include the corresponding identity and session objects. scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken))); scriptVariables.put("session", new ScriptedSession(ssoToken));As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).
Example
The following example demonstrates two policies sharing the environment variable:
- Set up your policies: TestPolicy01 : http://agent.example.com:38080/helloworld/index*.html All of ... Authentication by Module Chain=ldapService Script=TestPolicyCondition01 TestPolicy02 : http://*.example.com:38080/helloworld/index.html All of ... Script=TestPolicyCondition02
- Create a simple script: if (!environment) { logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request."); authorized = false; } var test = environment.get("test"); if (test == null) { logger.warning("No test specified in the evaluation request environment parameters."); environment.put("test", "testvalue1"); } else { logger.message("TestPolicyCondition01:: test=" + test); } authorized = true;
- Use a curl command such as the following to evaluate both policies: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{ "resources": [ "http://agent.example.com:38080/helloworld/index.html" ], "application": "iPlanetAMWebAgentService", "subject": { "ssoToken": "AQIC...*"} }' https://am.example.com:8443/am/json/realms/root/policies?_action=evaluate
- Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] WARNING: No test specified in the evaluation request environment parameters. <--- printed from TestPolicy02 Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" } : Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01
Note
This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.
See Also
How do I create a policy condition script in AM (All versions)?
FAQ: Configuring policies in Identity Cloud and AM
Request policy decisions over REST
Related Training
N/A
Related Issue Tracker IDs
N/A