Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10983

Policy evalution with scripts fails on Ubuntu 16.04

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0, 14.0.0-RC2
    • Fix Version/s: None
    • Component/s: policy, scripting
    • Labels:
    • Environment:
      Ubuntu 16.04 / JDK 1.8.0_91 / Tomcat 8 / OpenAM 14.0.0-RC2 Build 1162d948ab (2017-March-24 18:13)

      Description

      This issue is specific for Ubuntu 16.04 and I was not able to reproduce it on different OS. It is possible to reproduce it with temper's functional test com.forgerock.openam.functionaltest.scripting.TestScriptWithHttpClientSendMethod or with following steps:

      Steps to reproduce

      1.) Default installation of AM on Ubuntu 16.04
      2.) Create a new Script: / realm / Scripts / new / POLICY_CONDITION javascript with body:

      var request = new org.forgerock.http.protocol.Request();
      request.setUri("http://amqa-clone86.test.forgerock.com:8080/openam/json/serverinfo/*");
      request.setMethod("GET");
      var response = httpClient.send(request).get();
      var statusCode = response.getStatus().getCode();
      authorized = statusCode == 200;
      

      3.) Create a policy with script as environment condition

      • Resources:
        *://*:*/*, *://*:*/*?*
      • Actions: GET, POST
      • Environment: Script (chose a created script)

      4.) Do a policy evaluation

      curl -X POST -H "iPlanetDirectoryPro: <TOKEN>" -H "Content-Type: application/json" -d '{"environment":{"IP":["38.99.39.210"]},"application":"iPlanetAMWebAgentService","subject":{"ssoToken":"AQIC5wM2LY4SfcwhOweAnP5mdUw62RVZDoVxuvoYLwmtig0.*AAJTSQACMDEAAlNLABM4ODY0NzQ0MzE3Njk2NTgxMTcyAAJTMQAA*"},"resources":["http://www.forgerock.org:80/index.html"]}' 
      "http://openam.forgerock.com:8080/openam/json/policies?_action=evaluate"
      

      Expected Result

      [
        {
          "ttl": 9223372036854775807,
          "advices": {},
          "resource": "http://www.forgerock.org:80/index.html",
          "actions": {
            "POST": true,
            "GET": true
          },
          "attributes": {}
        }
      ]
      

      Observed Result

      [
        {
          "ttl": 9223372036854775807,
          "advices": {},
          "resource": "http://www.forgerock.org:80/index.html",
          "actions": {},
          "attributes": {}
        }
      ]
      

      I've observed following exception in Debug.out (whole exception is in attachment)

      org.forgerock.openam.scripting.ThreadPoolScriptEvaluator:03/28/2017 12:35:33:938 PM BST: Thread[default task-5,5,main]: TransactionId[0ca64c5d-2b5b-4f82-907a-8eee44602c98-17437]
      ERROR: Script terminated with exception
      java.util.concurrent.ExecutionException: javax.script.ScriptException: Access to Java class "org.forgerock.util.promise.Promises$ResultPromise" is prohibited. (<Unknown source>#1) in <Unknown source> at line number 1 at column number 0
      

      Workaround

      Add org.forgerock.util.promise.Promises$ResultPromise into Java class whitelist. You can find it in following path:
      / Configure / Global Services / Scripting / Secondary Configurations / POLICY_CONDITION / Secondary Configurations / EngineConfiguration / Java class whitelist

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              richard.hruza Richard Hruza
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: