How To

How do I share values between scripted policies in AM/OpenAM (All versions)?

Last updated Sep 14, 2020

The purpose of this article is to provide information on sharing values between scripted policies in AM/OpenAM. The only variable you can share between privileges/policies is the environment variable.

Background information

The only variable you can share between privileges/policies is the environment variable as explained here.

The ScriptCondition class sets the following objects, which makes them accessible to scripts:

scriptVariables.put("logger", PolicyConstants.DEBUG);
scriptVariables.put("username", SubjectUtils.getPrincipalId(subject));
scriptVariables.put("resourceURI", resourceName);
scriptVariables.put("environment", environment);
scriptVariables.put("advice", advice);
scriptVariables.put("responseAttributes", responseAttributes);
scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage()));
scriptVariables.put("authorized", Boolean.FALSE);
scriptVariables.put("ttl", Long.MAX_VALUE);
// If a token is present include the corresponding identity and session objects.
scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken)));
scriptVariables.put("session", new ScriptedSession(ssoToken));

As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).

Example

The following example demonstrates two policies sharing the environment variable:

  1. Set up your policies: 
    TestPolicy01 :
    http://agent.example.com:38080/helloworld/index*.html
    All of ... Authentication by Module Chain=ldapService
                  Script=TestPolicyCondition01
TestPolicy02 :
 http://*.example.com:38080/helloworld/index.html
    All of ... Script=TestPolicyCondition02
  2. Create a simple script: 
    if (!environment) {
    logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request.");
    authorized = false;
}

var test = environment.get("test");
if (test == null) {
    logger.warning("No test specified in the evaluation request environment parameters.");
 environment.put("test", "testvalue1");
} else {
    logger.message("TestPolicyCondition01:: test=" + test);

}

authorized = true;
  3. Use a curl command such as the following to evaluate both policies; the server URL for the endpoint differs depending on which version you are using. For example:
    • AM 5 and later: 
      $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{
    "resources": [
        "http://agent.example.com:38080/helloworld/index.html"
    ],
    "application": "iPlanetAMWebAgentService",
    "subject": { "ssoToken": "AQIC...*"}
}' http://host1.example.com:8080/openam/json/realms/root/policies?_action=evaluate
    • Pre-AM 5: 
      $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -d '{
    "resources": [
        "http://agent.example.com:38080/helloworld/index.html"
    ],
    "application": "iPlanetAMWebAgentService",
    "subject": { "ssoToken": "AQIC...*"}
}' http://host1.example.com:8080/openam/json/policies?_action=evaluate
  4. Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: 
    Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527]
WARNING: No test specified in the evaluation request environment parameters.  <--- printed from TestPolicy02
Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527]
CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" }
:
Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527]
TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01
Note

This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.

See Also

How do I create a policy condition script in AM/OpenAM (All versions)?

FAQ: Configuring policies in AM/OpenAM

Agents and policies in AM/OpenAM

Authorization Guide › Scripting a Policy Condition

Authorization Guide › Requesting Policy Decisions Using REST

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...