How To

How do I share values between scripted policies in AM/OpenAM (All versions)?

Last updated Jan 13, 2021

The purpose of this article is to provide information on sharing values between scripted policies in AM/OpenAM. The only variable you can share between privileges/policies is the environment variable.

Background information

The only variable you can share between privileges/policies is the environment variable as explained here.

The ScriptCondition class sets the following objects, which makes them accessible to scripts:

scriptVariables.put("logger", PolicyConstants.DEBUG); scriptVariables.put("username", SubjectUtils.getPrincipalId(subject)); scriptVariables.put("resourceURI", resourceName); scriptVariables.put("environment", environment); scriptVariables.put("advice", advice); scriptVariables.put("responseAttributes", responseAttributes); scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage())); scriptVariables.put("authorized", Boolean.FALSE); scriptVariables.put("ttl", Long.MAX_VALUE); // If a token is present include the corresponding identity and session objects. scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken))); scriptVariables.put("session", new ScriptedSession(ssoToken));

As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).


The following example demonstrates two policies sharing the environment variable:

  1. Set up your policies: TestPolicy01 :*.html     All of ... Authentication by Module Chain=ldapService                   Script=TestPolicyCondition01 TestPolicy02 :  http://*     All of ... Script=TestPolicyCondition02
  2. Create a simple script: if (!environment) {     logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request.");     authorized = false; } var test = environment.get("test"); if (test == null) {     logger.warning("No test specified in the evaluation request environment parameters.");  environment.put("test", "testvalue1"); } else {     logger.message("TestPolicyCondition01:: test=" + test); } authorized = true;
  3. Use a curl command such as the following to evaluate both policies; the server URL for the endpoint differs depending on which version you are using. For example:
    • AM 5 and later: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{     "resources": [         ""     ],     "application": "iPlanetAMWebAgentService",     "subject": { "ssoToken": "AQIC...*"} }'
    • Pre-AM 5: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -d '{     "resources": [         ""     ],     "application": "iPlanetAMWebAgentService",     "subject": { "ssoToken": "AQIC...*"} }'
  4. Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] WARNING: No test specified in the evaluation request environment parameters. <--- printed from TestPolicy02 Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" } : Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01

This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.

See Also

How do I create a policy condition script in AM/OpenAM (All versions)?

FAQ: Configuring policies in AM/OpenAM

Agents and policies in AM/OpenAM

Authorization Guide › Scripting a Policy Condition

Authorization Guide › Requesting Policy Decisions Using REST

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.