-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 6.5.2
-
Fix Version/s: None
-
Component/s: entitlements, policy, scripting
-
Labels:
-
Support Ticket IDs:
- Description
Request to expose HttpClient config parameters in ScriptCondition
- Recreation Steps
1. login to admin console
2. select realm -> "Authorization" -> "Policy Sets" -> iPlanetAMWebAgentService -> "+Add a Policy"
3. create a policy called "TestPolicy001" and add environment condition type "Script"
Script Name "Scripted Policy Condition"
4. fill in other config parameters and click "Save Changes"
5. select realm -> "Scripts" -> "Scripted Policy Condition"
notice script is using httpClient variable passed from ScriptCondition.
ScriptingGuiceModule binds CloseableHttpClientProvider without any options so this provider is using all default such as pool size of 64, soTimeout 10 sec etc.
bind(Client.class)
.annotatedWith(Names.named(SCRIPTING_HTTP_CLIENT_NAME))
.toProvider(CloseableHttpClientProvider.class).in(Scopes.SINGLETON);
This causes issues on environment where backend application sits behind Firewall etc and stale connections get disconnected. It will be nice if ScriptCondition exposed parameters where timeout, pool size can be configurable.
- Workaround
The options for customer is to either implement custom Policy Condition class which extends/replace ScriptCondition
https://backstage.forgerock.com/docs/am/6.5/authorization-guide/index.html#authz-implementation-console
And call Apache's HTTP core classes directly or use ForgeRock CHF library in groovy script "Scripted Policy Condition" under "realm"-> [Scripts] menu and send request rather than using httpClient variable passed to the script. :
import org.apache.http.client.config.RequestConfig; import org.apache.http.client.HttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.HttpResponse; import org.apache.http.HttpEntity; import org.apache.http.client.methods.HttpGet; final int TIME_OUT = 1000; RequestConfig requestConfig = RequestConfig.custom() .setSocketTimeout(TIME_OUT) .setConnectTimeout(TIME_OUT).setConnectionRequestTimeout(TIME_OUT) .build(); HttpClient httpClient = HttpClientBuilder.create() .setDefaultRequestConfig(requestConfig).build(); HttpGet httpGet = new HttpGet(); httpGet.setURI(new URI("http://google.com")); HttpResponse response = httpClient.execute(httpGet); int status = response.getStatusLine().getStatusCode(); logger.message("User REST Call. Status: " + status + ", Body: " + response.getEntity());
With the above script, you need to set the following class in whitelist.
org.apache.http.client.config.RequestConfig org.apache.http.client.HttpClient org.apache.http.impl.client.HttpClientBuilder org.apache.http.HttpResponse org.apache.http.HttpEntity org.apache.http.client.methods.HttpGet org.apache.http.client.methods.HttpPost org.apache.http.client.config.RequestConfig$Builder org.apache.http.impl.client.InternalHttpClient java.net.URI org.apache.http.impl.execchain.HttpResponseProxy org.apache.http.message.BasicStatusLine org.apache.http.client.entity.DecompressingEntity