JavaScript whitelist

Advanced Access Control JavaScript mapping rules call Java™ code from JavaScript. The set of classes that can be called are restricted.

Exercise reasonable caution when you call Java code from JavaScript rules to ensure that accidental damage to appliance resources is avoided.

The following common classes are allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP mapping rules.
  • java.lang.Boolean
  • java.lang.Character
  • java.lang.Integer
  • java.lang.Object
  • java.lang.String
  • java.lang.reflect.Array
  • java.io.ByteArrayInputStream
  • java.io.ObjectInputStream
  • java.util.ArrayList **
  • java.util.HashSet **
  • java.util.HashMap **
  • java.io.PrintStream
  • java.lang.System
  • com.ibm.security.access.httpclient.HttpClient
  • com.ibm.security.access.httpclient.HttpResponse
  • com.ibm.security.access.httpclient.Headers
  • com.ibm.security.access.httpclient.Parameters
  • com.ibm.security.access.scimclient.ScimClient
  • com.ibm.security.access.scimcleint.ScimConfig
  • com.tivoli.am.rba.attributes.AttributeIdentifier
  • com.tivoli.am.rba.extensions.RBAExtensions
  • com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter
  • com.tivoli.am.rba.extensions.Attribute$Category
  • com.tivoli.am.rba.extensions.Attribute$DataType
  • com.tivoli.am.rba.extensions.Attribute
  • com.tivoli.am.rba.extensions.PluginUtils
The following additional classes are allowed in one-time password and OAuth or API protection mapping rules.
  • com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper
  • com.tivoli.am.fim.trustserver.sts.oauth20.Client
  • com.tivoli.am.fim.trustserver.sts.oauth20.Grant
  • com.tivoli.am.fim.trustserver.sts.oauth20.Token
  • com.tivoli.am.fim.trustserver.sts.STSModuleException
  • com.tivoli.am.fim.trustserver.sts.STSUniversalUser *
  • com.tivoli.am.fim.trustserver.sts.uuser.Attribute *
  • com.tivoli.am.fim.trustserver.sts.uuser.AttributeList *
  • com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement *
  • com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes *
  • com.tivoli.am.fim.trustserver.sts.uuser.Group *
  • com.tivoli.am.fim.trustserver.sts.uuser.Principal *
  • com.tivoli.am.fim.trustserver.sts.uuser.Subject *
  • com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken *
  • com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils
  • com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl
  • com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim
  • com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute
  • com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper
  • com.tivoli.am.fim.base64.BASE64Utility
  • com.tivoli.am.fim.utils.IteratorWrapper
  • com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils
  • com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse
  • com.tivoli.am.rba.pip.JavaScriptPIP
  • com.tivoli.am.rba.pip.JavaScriptPIP$Context
  • java.mail.internet.InternetAddress
The following additional classes are allowed in JavaScript PIP mapping rules.
  • com.tivoli.am.fim.base64.BASE64Utility
  • com.tivoli.am.rba.rtss.AttributeLocatorImpl
  • com.tivoli.am.rba.pip.JavaScriptPIP
  • com.tivoli.am.rba.pip.JavaScriptPIP$Context
Notes:

* The white list does not contain any implementation of the interfaces that are defined in the org.w3c.dom package. For example, you cannot use the method org.w3c.dom.Document toXML() in com.tivoli.am.fim.trustserver.sts.STSUniversalUser.

** Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following method in java.util.HashMap:
  • Collection<V> values()
  • Set<K> keySet()
  • Set<Map.Entry<K,V>> entrySet()

For more information about dynamic attributes, see Dynamic attributes.

For more information about policy information points, see Managing policy information points.