Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-2107

Create new ScriptableCondition plugin

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 10.0.1
    • Fix Version/s: None
    • Component/s: policy
    • Labels:
      None
    • Rank:
      1|hznoen:

      Description

      Following in the footsteps of OpenIDM, it would be really nice to have a script interface for creating conditions.

      The "ScriptableCondition" would take a single parameter - the script to execute. Possibly the target scripting language would be another parameter, but it would be fine to support only a single language to begin with.

      JavaScript is an obvious candidate for the scripting language and would mesh well with OpenIDM. Unsure if Rhino or equivalent is available in all distributions of the OpenJDK at this time, but it definitely does seem to be present in Oracle JDK releases.

      Many variables would be exposed to the script. In fact, virtually anything that the other default conditions can do should be possible with the ScriptableCondition. Variables available should include:

      • Max Session Time and Idle Session Time
      • Module Instance / Module Chain that the user authenticated with
      • Authentication Level of the current session
      • IP Address and DNS Name of the original login request
      • Current session properties
      • User attributes

      The return value should probably be a string indicating the decision that was made, for example "true" indicating that the target policy does apply to this user. Boolean values could also be handled.

      The written script should also be able to return advice, just like the "Authentication Level" condition. This might be facilitated by returning an appropriate string, for example "true:advice:xxxxx".

      There should also be an object allowing the script to print messages to the debug logs. java.lang.System.out.println may be sufficient.

      If possible, sensitive attributes (such as passwords) should be excluded from the script's scope.

      More info on custom policy plugins here:
      http://docs.forgerock.org/en/openam/10.0.0/dev-guide/index/chap-policy-spi.html

        Attachments

          Activity

            People

            • Assignee:
              peter.major Peter Major [X] (Inactive)
              Reporter:
              rmeakins rmeakins
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: