JavaScript whitelist (AAC)

Advanced Access Control JavaScript mapping rules and Federation mapping rules call Java™ code from JavaScript. The set of classes that can be called is restricted.

Exercise reasonable caution when you call Java code from JavaScript rules to ensure that accidental damage to appliance resources is avoided.

Common classes allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP, federation mapping rules, and access policies.
java.lang.Boolean java.lang.Byte java.lang.Character java.lang.Class java.lang.Double java.lang.Float java.lang.Integer java.lang.Long java.lang.reflect.Array java.lang.Short java.lang.String java.lang.System java.io.ByteArrayInputStream java.io.ObjectInputStream java.io.PrintStream java.math.BigDecimal java.util.ArrayList java.util.Base64 java.util.Base64$Decoder java.util.Base64$Encoder java.util.Date java.util.HashSet java.util.HashMap java.util.Iterator java.util.List java.util.Map java.util.Set java.util.UUID com.ibm.security.access.httpclient.HttpClient com.ibm.security.access.httpclient.HttpResponse com.ibm.security.access.httpclient.Headers com.ibm.security.access.httpclient.Parameters com.ibm.security.access.scimclient.ScimClient com.ibm.security.access.scimcleint.ScimConfig com.ibm.security.access.ciclient.CiClient com.tivoli.am.rba.attributes.AttributeIdentifier com.tivoli.am.rba.extensions.RBAExtensions com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter com.tivoli.am.rba.extensions.Attribute$Category com.tivoli.am.rba.extensions.Attribute$DataType com.tivoli.am.rba.extensions.Attribute com.tivoli.am.rba.extensions.PluginUtils Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following methods in java.util.HashMap: Collection<V> values() Set<K> keySet() Set<Map.Entry<K,V>> entrySet() For information about dynamic attributes, see Dynamic attributes. For information about federation mapping rules, see Mapping rules.

Common classes allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP, federation mapping rules, and access policies.

java.lang.Boolean
java.lang.Byte
java.lang.Character
java.lang.Class
java.lang.Double
java.lang.Float
java.lang.Integer
java.lang.Long
java.lang.reflect.Array
java.lang.Short
java.lang.String
java.lang.System

java.io.ByteArrayInputStream
java.io.ObjectInputStream
java.io.PrintStream

java.math.BigDecimal

java.util.ArrayList **
java.util.Base64
java.util.Base64$Decoder
java.util.Base64$Encoder
java.util.Date
java.util.HashSet **
java.util.HashMap **
java.util.Iterator
java.util.List
java.util.Map
java.util.Set        
java.util.UUID

com.ibm.security.access.httpclient.HttpClient
com.ibm.security.access.httpclient.HttpResponse
com.ibm.security.access.httpclient.Headers
com.ibm.security.access.httpclient.Parameters
com.ibm.security.access.scimclient.ScimClient
com.ibm.security.access.scimcleint.ScimConfig
com.ibm.security.access.ciclient.CiClient
com.tivoli.am.rba.attributes.AttributeIdentifier
com.tivoli.am.rba.extensions.RBAExtensions
com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter
com.tivoli.am.rba.extensions.Attribute$Category
com.tivoli.am.rba.extensions.Attribute$DataType
com.tivoli.am.rba.extensions.Attribute
com.tivoli.am.rba.extensions.PluginUtils

** Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following methods in java.util.HashMap:

Collection<V> values()
Set<K> keySet()
Set<Map.Entry<K,V>> entrySet()

For information about dynamic attributes, see Dynamic attributes.

For information about federation mapping rules, see Mapping rules.

Additional classes allowed in one-time password, OAuth or API protection mapping rules, federation mapping rules, and access policies
com.tivoli.am.fim.base64.BASE64Utility com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper com.tivoli.am.fim.trustserver.sts.oauth20.Client com.tivoli.am.fim.trustserver.sts.oauth20.Grant com.tivoli.am.fim.trustserver.sts.oauth20.Token com.tivoli.am.fim.trustserver.sts.STSModuleException com.tivoli.am.fim.trustserver.sts.STSUniversalUser * com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim com.tivoli.am.fim.trustserver.sts.utilities.MMFAMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper com.tivoli.am.fim.trustserver.sts.uuser.Attribute * com.tivoli.am.fim.trustserver.sts.uuser.AttributeList * com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement * com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes * com.tivoli.am.fim.trustserver.sts.uuser.Group * com.tivoli.am.fim.trustserver.sts.uuser.Principal * com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken * com.tivoli.am.fim.trustserver.sts.uuser.Subject * com.tivoli.am.fim.utils.IteratorWrapper com.tivoli.am.rba.pip.JavaScriptPIP com.tivoli.am.rba.pip.JavaScriptPIP$Context java.mail.internet.InternetAddress * The white list does not contain any implementation of the interfaces defined in the org.w3c.dom package. For example, we cannot use the method org.w3c.dom.Document toXML() in com.tivoli.am.fim.trustserver.sts.STSUniversalUser.

Additional classes allowed in one-time password, OAuth or API protection mapping rules, federation mapping rules, and access policies

com.tivoli.am.fim.base64.BASE64Utility
com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper 
com.tivoli.am.fim.trustserver.sts.oauth20.Client
com.tivoli.am.fim.trustserver.sts.oauth20.Grant
com.tivoli.am.fim.trustserver.sts.oauth20.Token
com.tivoli.am.fim.trustserver.sts.STSModuleException
com.tivoli.am.fim.trustserver.sts.STSUniversalUser *
com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse
com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl
com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim
com.tivoli.am.fim.trustserver.sts.utilities.MMFAMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute
com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper
com.tivoli.am.fim.trustserver.sts.uuser.Attribute *
com.tivoli.am.fim.trustserver.sts.uuser.AttributeList *
com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement *
com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes *
com.tivoli.am.fim.trustserver.sts.uuser.Group *
com.tivoli.am.fim.trustserver.sts.uuser.Principal *
com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken *
com.tivoli.am.fim.trustserver.sts.uuser.Subject *
com.tivoli.am.fim.utils.IteratorWrapper
com.tivoli.am.rba.pip.JavaScriptPIP
com.tivoli.am.rba.pip.JavaScriptPIP$Context
java.mail.internet.InternetAddress

* The white list does not contain any implementation of the interfaces defined in the org.w3c.dom package. For example, we cannot use the method org.w3c.dom.Document toXML() in com.tivoli.am.fim.trustserver.sts.STSUniversalUser.

Additional classes allowed in JavaScript PIP
com.tivoli.am.fim.base64.BASE64Utility com.tivoli.am.rba.pip.JavaScriptPIP com.tivoli.am.rba.pip.JavaScriptPIP$Context com.tivoli.am.rba.rtss.AttributeLocatorImpl For information about policy information points, see Manage policy information points.

Additional classes allowed in JavaScript PIP

com.tivoli.am.fim.base64.BASE64Utility
com.tivoli.am.rba.pip.JavaScriptPIP
com.tivoli.am.rba.pip.JavaScriptPIP$Context 
com.tivoli.am.rba.rtss.AttributeLocatorImpl

For information about policy information points, see Manage policy information points.

Additional classes allowed in mapping rules
packages.com.ibm.security.access.user.UserLookupHelper packages.com.ibm.security.access.user.User For information on mapping rules, see: Manage OAuth 2.0 and OIDC mapping rules Manage mapping rules

Additional classes allowed in mapping rules

packages.com.ibm.security.access.user.UserLookupHelper
packages.com.ibm.security.access.user.User

For information on mapping rules, see:

Additional classes to manage server connections
com.ibm.security.access.server_connections.LdapServerConnection com.ibm.security.access.server_connections.LdapServerConnection$LdapHost com.ibm.security.access.server_connections.ServerConnection com.ibm.security.access.server_connections.ServerConnectionFactory com.ibm.security.access.server_connections.SmtpServerConnection com.ibm.security.access.server_connections.WebServerConnection com.ibm.security.access.server_connections.CiServerConnection For information, see Manage LDAP server connections.

Additional classes to manage server connections

com.ibm.security.access.server_connections.LdapServerConnection
com.ibm.security.access.server_connections.LdapServerConnection$LdapHost
com.ibm.security.access.server_connections.ServerConnection
com.ibm.security.access.server_connections.ServerConnectionFactory
com.ibm.security.access.server_connections.SmtpServerConnection
com.ibm.security.access.server_connections.WebServerConnection
com.ibm.security.access.server_connections.CiServerConnection

For information, see Manage LDAP server connections.

Classes to use with InfoMap
com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapResult com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapString For information, see Configure an Info Map authentication mechanism.

Classes to use with InfoMap

com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapResult
com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapString

For information, see Configure an Info Map authentication mechanism.

Classes to use in Access Policies
com.ibm.security.access.policy.Context com.ibm.security.access.policy.Cookie com.ibm.security.access.policy.decision.ChallengeDecisionHandler com.ibm.security.access.policy.decision.DecisionHandler com.ibm.security.access.policy.decision.DenyDecisionHandler com.ibm.security.access.policy.decision.Decision com.ibm.security.access.policy.decision.DecisionType com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler com.ibm.security.access.policy.decision.HtmlPageDecisionHandler com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler com.ibm.security.access.policy.decision.RedirectDecisionHandler com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler com.ibm.security.access.policy.oauth20.AuthenticationContext com.ibm.security.access.policy.oauth20.AuthenticationRequest com.ibm.security.access.policy.oauth20.ProtocolContext com.ibm.security.access.policy.ProtocolContext com.ibm.security.access.policy.Request com.ibm.security.access.policy.saml20.AuthnRequest com.ibm.security.access.policy.saml20.ProtocolContext com.ibm.security.access.policy.saml20.RequestedAuthnContext com.ibm.security.access.policy.Session com.ibm.security.access.policy.user.Attribute com.ibm.security.access.policy.user.Group com.ibm.security.access.policy.user.User For information, see Access policies.

Classes to use in Access Policies

com.ibm.security.access.policy.Context
com.ibm.security.access.policy.Cookie
com.ibm.security.access.policy.decision.ChallengeDecisionHandler
com.ibm.security.access.policy.decision.DecisionHandler
com.ibm.security.access.policy.decision.DenyDecisionHandler
com.ibm.security.access.policy.decision.Decision
com.ibm.security.access.policy.decision.DecisionType
com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler
com.ibm.security.access.policy.decision.HtmlPageDecisionHandler
com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler
com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler
com.ibm.security.access.policy.decision.RedirectDecisionHandler
com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler
com.ibm.security.access.policy.oauth20.AuthenticationContext
com.ibm.security.access.policy.oauth20.AuthenticationRequest
com.ibm.security.access.policy.oauth20.ProtocolContext
com.ibm.security.access.policy.ProtocolContext
com.ibm.security.access.policy.Request
com.ibm.security.access.policy.saml20.AuthnRequest
com.ibm.security.access.policy.saml20.ProtocolContext
com.ibm.security.access.policy.saml20.RequestedAuthnContext
com.ibm.security.access.policy.Session
com.ibm.security.access.policy.user.Attribute
com.ibm.security.access.policy.user.Group
com.ibm.security.access.policy.user.User

For information, see Access policies.

Parent topic: Mapping rules

JavaScript whitelist (AAC)

Related tasks