How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I share values between scripted policies in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on sharing values between scripted policies in AM. The only variable you can share between privileges/policies is the environment variable.


Background information

The only variable you can share between privileges/policies is the environment variable as explained here.

The ScriptCondition class sets the following objects, which makes them accessible to scripts:

scriptVariables.put("logger", PolicyConstants.DEBUG); scriptVariables.put("username", SubjectUtils.getPrincipalId(subject)); scriptVariables.put("resourceURI", resourceName); scriptVariables.put("environment", environment); scriptVariables.put("advice", advice); scriptVariables.put("responseAttributes", responseAttributes); scriptVariables.put("httpClient", getHttpClient(configuration.getLanguage())); scriptVariables.put("authorized", Boolean.FALSE); scriptVariables.put("ttl", Long.MAX_VALUE); // If a token is present include the corresponding identity and session objects. scriptVariables.put("identity", new ScriptedIdentity(coreWrapper.getIdentity(ssoToken))); scriptVariables.put("session", new ScriptedSession(ssoToken));

As you can see, the SSOToken is wrapped in a class called "ScriptedSession" which only exposes the getProperty() method, not setProperty() like the original SSOTokenImpl class did. Therefore, the only variable you can use to share between privileges/policies is environment (for example, environment.get() and environment.put() ).

Example

The following example demonstrates two policies sharing the environment variable:

  1. Set up your policies: TestPolicy01 :   http://agent.example.com:38080/helloworld/index*.html     All of ... Authentication by Module Chain=ldapService                   Script=TestPolicyCondition01 TestPolicy02 :  http://*.example.com:38080/helloworld/index.html     All of ... Script=TestPolicyCondition02
  2. Create a simple script: if (!environment) {   logger.warning("TestPolicyCondition01:: No environment parameters specified in the evaluation request.");     authorized = false; } var test = environment.get("test"); if (test == null) {     logger.warning("No test specified in the evaluation request environment parameters.");  environment.put("test", "testvalue1"); } else {     logger.message("TestPolicyCondition01:: test=" + test); } authorized = true;
  3. Use a curl command such as the following to evaluate both policies: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5...DU3*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0" -d '{   "resources": [         "http://agent.example.com:38080/helloworld/index.html"     ],     "application": "iPlanetAMWebAgentService",     "subject": { "ssoToken": "AQIC...*"} }' http://host1.example.com:8080/openam/json/realms/root/policies?_action=evaluate
  4. Verify that the test value is shared between the policies in the Entitlement debug log. This example indicates which messages have been printed by which policy: Entitlement:10/06/2018 03:07:24:873 PM BST: Thread[pool-15-thread-5,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] WARNING: No test specified in the evaluation request environment parameters. <--- printed from TestPolicy02 Entitlement:10/06/2018 03:15:11:456 PM BST: Thread[http-bio-18080-exec-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] CachingEntitlementCondition.evaluate() caching condition decision "true" for condition: org.forgerock.openam.entitlement.conditions.environment.ScriptCondition{ "scriptId": "5107450e-0167-4369-8f67-23c18d214149" } : Entitlement:10/06/2018 03:15:14:062 PM BST: Thread[pool-15-thread-6,5,main]: TransactionId[52169231-8063-4d1e-9156-20d18c8e22f6-1527] TestPolicyCondition01:: test=testvalue2. <--- printed from TestPolicy01
Note

This example is just a simple sample to demonstrate the concept. You should adjust it to fit your requirements.

See Also

How do I create a policy condition script in AM (All versions)?

FAQ: Configuring policies in Identity Cloud and AM

Agents and policies in AM

Authorization Guide › Scripting a Policy Condition

Authorization Guide › Requesting Policy Decisions Using REST

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...