JavaScript allowlist

Edit online

Advanced Access Control JavaScript™ mapping rules and Federation mapping rules call Java™ code from JavaScript. The set of classes that can be called is restricted.

Exercise reasonable caution when you call Java code from JavaScript rules to ensure that accidental damage to appliance resources is avoided.

Common classes allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP, federation mapping rules, and access policies.

Common classes allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP, federation mapping rules, and access policies.
`java.lang.Boolean java.lang.Byte java.lang.Character java.lang.Class java.lang.Double java.lang.Float java.lang.Integer java.lang.Long java.lang.reflect.Array java.lang.Short java.lang.String java.lang.System` `java.io.ByteArrayInputStream java.io.PrintStream` `java.math.BigDecimal` `java.util.ArrayList java.util.Base64 java.util.Base64$Decoder java.util.Base64$Encoder java.util.Date java.util.HashSet java.util.HashMap java.util.Iterator java.util.List java.util.logging.Level java.util.Map java.util.Set java.util.UUID` com.ibm.security.access.httpclient.HttpClient com.ibm.security.access.httpclient.HttpResponse com.ibm.security.access.httpclient.Headers com.ibm.security.access.httpclient.Parameters com.ibm.security.access.httpclient.HttpClientV2 com.ibm.security.access.httpclient.RequestParameters com.ibm.security.access.scimclient.ScimClient com.ibm.security.access.scimcleint.ScimConfig com.ibm.security.access.ciclient.CiClient com.ibm.security.access.ciclient.CiClientV2 com.tivoli.am.rba.attributes.AttributeIdentifier com.tivoli.am.rba.extensions.RBAExtensions com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter com.tivoli.am.rba.extensions.Attribute$Category com.tivoli.am.rba.extensions.Attribute$DataType com.tivoli.am.rba.extensions.Attribute com.tivoli.am.rba.extensions.PluginUtils com.tivoli.am.fim.trustserver.sts.utilities.XMLExtUtils Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following methods in `java.util.HashMap`: `Collection<V> values()` `Set<K> keySet()` `Set<Map.Entry<K,V>> entrySet()` For more information about dynamic attributes, see Dynamic attributes. For information about federation mapping rules, see Mapping rules.


java.lang.Boolean
java.lang.Byte
java.lang.Character
java.lang.Class
java.lang.Double
java.lang.Float
java.lang.Integer
java.lang.Long
java.lang.reflect.Array
java.lang.Short
java.lang.String
java.lang.System


java.io.ByteArrayInputStream
java.io.PrintStream

java.math.BigDecimal


java.util.ArrayList **
java.util.Base64
java.util.Base64$Decoder
java.util.Base64$Encoder
java.util.Date
java.util.HashSet **
java.util.HashMap **
java.util.Iterator
java.util.List
 java.util.logging.Level
java.util.Map
java.util.Set        
java.util.UUID

com.ibm.security.access.httpclient.HttpClient
com.ibm.security.access.httpclient.HttpResponse
com.ibm.security.access.httpclient.Headers
com.ibm.security.access.httpclient.Parameters
 com.ibm.security.access.httpclient.HttpClientV2
com.ibm.security.access.httpclient.RequestParameters
com.ibm.security.access.scimclient.ScimClient
com.ibm.security.access.scimcleint.ScimConfig
com.ibm.security.access.ciclient.CiClient
 com.ibm.security.access.ciclient.CiClientV2
com.tivoli.am.rba.attributes.AttributeIdentifier
com.tivoli.am.rba.extensions.RBAExtensions
com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter
com.tivoli.am.rba.extensions.Attribute$Category
com.tivoli.am.rba.extensions.Attribute$DataType
com.tivoli.am.rba.extensions.Attribute
com.tivoli.am.rba.extensions.PluginUtils
 com.tivoli.am.fim.trustserver.sts.utilities.XMLExtUtils

** Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following methods in java.util.HashMap:

Collection<V> values()
Set<K> keySet()
Set<Map.Entry<K,V>> entrySet()

For more information about dynamic attributes, see Dynamic attributes.

For information about federation mapping rules, see Mapping rules.

Additional classes allowed in one-time password, OAuth or API protection mapping rules, federation mapping rules, and access policies

Additional classes allowed in one-time password, OAuth or API protection mapping rules, federation mapping rules, and access policies
com.tivoli.am.fim.base64.BASE64Utility com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient$LocalSTSClientResult com.tivoli.am.fim.saml20.protocol.extension.js.JSMessageExtensionContext com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper com.tivoli.am.fim.trustserver.sts.oauth20.Client com.tivoli.am.fim.trustserver.sts.oauth20.Grant com.tivoli.am.fim.trustserver.sts.oauth20.Token com.tivoli.am.fim.trustserver.sts.oauth20.Definition com.tivoli.am.fim.trustserver.sts.oauth20.OidcDefinition com.tivoli.am.fim.trustserver.sts.STSModuleException com.tivoli.am.fim.trustserver.sts.STSUniversalUser * com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim com.tivoli.am.fim.trustserver.sts.utilities.KubernetesUtils com.tivoli.am.fim.trustserver.sts.utilities.MMFAMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper com.tivoli.am.fim.trustserver.sts.uuser.Attribute * com.tivoli.am.fim.trustserver.sts.uuser.AttributeList * com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement * com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes * com.tivoli.am.fim.trustserver.sts.uuser.Group * com.tivoli.am.fim.trustserver.sts.uuser.Principal * com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken * com.tivoli.am.fim.trustserver.sts.uuser.Subject * com.tivoli.am.fim.utils.IteratorWrapper com.tivoli.am.rba.pip.JavaScriptPIP com.tivoli.am.rba.pip.JavaScriptPIP$Context java.mail.internet.InternetAddress com.tivoli.am.fim.saml.misc.Saml20ObjectFactory com.tivoli.am.fim.saml.protocol.Saml20IDPList com.tivoli.am.fim.saml.protocol.Saml20IDPListImpl com.tivoli.am.fim.saml.protocol.Saml20Scoping com.tivoli.am.fim.saml.protocol.Saml20IDPEntry com.tivoli.am.fim.saml.protocol.Saml20IDPEntryImpl com.tivoli.am.fim.saml.protocol.Saml20AuthnRequest com.tivoli.am.fim.saml.protocol.Saml20ScopingImpl * The allow list does not contain any implementation of the interfaces that are defined in the `org.w3c.dom` package. For example, you cannot use the method `org.w3c.dom.Document toXML()` in `com.tivoli.am.fim.trustserver.sts.STSUniversalUser`.

com.tivoli.am.fim.base64.BASE64Utility
 com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient
com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient$LocalSTSClientResult
com.tivoli.am.fim.saml20.protocol.extension.js.JSMessageExtensionContext
com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper 
com.tivoli.am.fim.trustserver.sts.oauth20.Client
com.tivoli.am.fim.trustserver.sts.oauth20.Grant
com.tivoli.am.fim.trustserver.sts.oauth20.Token
 com.tivoli.am.fim.trustserver.sts.oauth20.Definition
com.tivoli.am.fim.trustserver.sts.oauth20.OidcDefinition
com.tivoli.am.fim.trustserver.sts.STSModuleException
com.tivoli.am.fim.trustserver.sts.STSUniversalUser *
com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse
com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl
com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim
 com.tivoli.am.fim.trustserver.sts.utilities.KubernetesUtils
com.tivoli.am.fim.trustserver.sts.utilities.MMFAMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute
com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper
com.tivoli.am.fim.trustserver.sts.uuser.Attribute *
com.tivoli.am.fim.trustserver.sts.uuser.AttributeList *
com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement *
com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes *
com.tivoli.am.fim.trustserver.sts.uuser.Group *
com.tivoli.am.fim.trustserver.sts.uuser.Principal *
com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken *
com.tivoli.am.fim.trustserver.sts.uuser.Subject *
com.tivoli.am.fim.utils.IteratorWrapper
com.tivoli.am.rba.pip.JavaScriptPIP
com.tivoli.am.rba.pip.JavaScriptPIP$Context
java.mail.internet.InternetAddress
 com.tivoli.am.fim.saml.misc.Saml20ObjectFactory
com.tivoli.am.fim.saml.protocol.Saml20IDPList
com.tivoli.am.fim.saml.protocol.Saml20IDPListImpl
com.tivoli.am.fim.saml.protocol.Saml20Scoping
com.tivoli.am.fim.saml.protocol.Saml20IDPEntry
com.tivoli.am.fim.saml.protocol.Saml20IDPEntryImpl
com.tivoli.am.fim.saml.protocol.Saml20AuthnRequest
com.tivoli.am.fim.saml.protocol.Saml20ScopingImpl

* The allow list does not contain any implementation of the interfaces that are defined in the org.w3c.dom package. For example, you cannot use the method org.w3c.dom.Document toXML() in com.tivoli.am.fim.trustserver.sts.STSUniversalUser.


Additional classes allowed in JavaScript PIP
`com.tivoli.am.fim.base64.BASE64Utility com.tivoli.am.rba.pip.JavaScriptPIP com.tivoli.am.rba.pip.JavaScriptPIP$Context com.tivoli.am.rba.rtss.AttributeLocatorImpl` For more information about policy information points, see Managing policy information points.

Additional classes allowed in mapping rules

Additional classes allowed in mapping rules
packages.com.ibm.security.access.user.UserLookupHelper packages.com.ibm.security.access.user.User com.ibm.security.access.ldap.utils.AttributeUtil com.ibm.security.access.ldap.utils.AttributeUtil$AttributeGetResult com.ibm.security.access.ldap.LdapAttributeGetResult com.ibm.security.access.ldap.LdapModifyResult com.ibm.security.access.ldap.LdapSearchResult com.ibm.security.access.ldap.LdapContextCreateResult com.sun.jndi.ldap.LdapSearchEnumeration javax.naming.NamingEnumeration javax.naming.directory.BasicAttributes javax.naming.directory.BasicAttribute javax.naming.directory.SearchResult com.ibm.security.access.recaptcha.RecaptchaClient com.ibm.security.access.signing.SigningHelper javax.crypto.SecretKey javax.crypto.SecretKeyFactory javax.crypto.spec.PBEKeySpec com.ibm.crypto.provider.PBEKey com.ibm.crypto.provider.PBKDF2KeyImpl com.ibm.ws.logging.internal.impl.BaseTraceService$TeePrintStream com.tivoli.am.fim.email.Email com.tivoli.am.fim.email.EmailDeliveryException com.tivoli.am.fim.email.EmailSender com.tivoli.am.fim.email.EmailSender$SendStatus com.tivoli.am.rba.geoLocator.GeolocUtils For information on mapping rules, see: Managing OAuth 2.0 and OIDC mapping rules Managing mapping rules

packages.com.ibm.security.access.user.UserLookupHelper
packages.com.ibm.security.access.user.User
 com.ibm.security.access.ldap.utils.AttributeUtil
com.ibm.security.access.ldap.utils.AttributeUtil$AttributeGetResult
com.ibm.security.access.ldap.LdapAttributeGetResult
com.ibm.security.access.ldap.LdapModifyResult
com.ibm.security.access.ldap.LdapSearchResult
com.ibm.security.access.ldap.LdapContextCreateResult
com.sun.jndi.ldap.LdapSearchEnumeration
javax.naming.NamingEnumeration
javax.naming.directory.BasicAttributes
javax.naming.directory.BasicAttribute
javax.naming.directory.SearchResult
com.ibm.security.access.recaptcha.RecaptchaClient
com.ibm.security.access.signing.SigningHelper
javax.crypto.SecretKey
javax.crypto.SecretKeyFactory
javax.crypto.spec.PBEKeySpec
com.ibm.crypto.provider.PBEKey
com.ibm.crypto.provider.PBKDF2KeyImpl
com.ibm.ws.logging.internal.impl.BaseTraceService$TeePrintStream
com.tivoli.am.fim.email.Email
com.tivoli.am.fim.email.EmailDeliveryException
com.tivoli.am.fim.email.EmailSender
com.tivoli.am.fim.email.EmailSender$SendStatus 
com.tivoli.am.rba.geoLocator.GeolocUtils

For information on mapping rules, see:

Additional classes to manage server connections

Additional classes to manage server connections
`com.ibm.security.access.server_connections.LdapServerConnection com.ibm.security.access.server_connections.LdapServerConnection$LdapHost com.ibm.security.access.server_connections.ServerConnection com.ibm.security.access.server_connections.ServerConnectionFactory com.ibm.security.access.server_connections.SmtpServerConnection com.ibm.security.access.server_connections.WebServerConnection com.ibm.security.access.server_connections.CiServerConnection` For more information, see Managing server connections.


com.ibm.security.access.server_connections.LdapServerConnection
com.ibm.security.access.server_connections.LdapServerConnection$LdapHost
com.ibm.security.access.server_connections.ServerConnection
com.ibm.security.access.server_connections.ServerConnectionFactory
com.ibm.security.access.server_connections.SmtpServerConnection
com.ibm.security.access.server_connections.WebServerConnection
com.ibm.security.access.server_connections.CiServerConnection

For more information, see Managing server connections.


Classes to use with InfoMap
`com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapResult com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapString com.tivoli.am.fim.authsvc.local.client.AuthSvcClient` For more information, see Configuring an Info Map authentication mechanism.

Classes to use in Access Policies

Classes to use in Access Policies
com.ibm.security.access.policy.Context com.ibm.security.access.policy.Cookie com.ibm.security.access.policy.decision.ChallengeDecisionHandler com.ibm.security.access.policy.decision.DecisionHandler com.ibm.security.access.policy.decision.DenyDecisionHandler com.ibm.security.access.policy.decision.Decision com.ibm.security.access.policy.decision.DecisionType com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler com.ibm.security.access.policy.decision.HtmlPageDecisionHandler com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler com.ibm.security.access.policy.decision.RedirectDecisionHandler com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler com.ibm.security.access.policy.oauth20.AuthenticationContext com.ibm.security.access.policy.oauth20.AuthenticationRequest com.ibm.security.access.policy.oauth20.Claim com.ibm.security.access.policy.oauth20.ProtocolContext com.ibm.security.access.policy.ProtocolContext com.ibm.security.access.policy.Request com.ibm.security.access.policy.saml20.AuthnRequest com.ibm.security.access.policy.saml20.ProtocolContext com.ibm.security.access.policy.saml20.RequestedAuthnContext com.ibm.security.access.policy.Session com.ibm.security.access.policy.user.Attribute com.ibm.security.access.policy.user.Group com.ibm.security.access.policy.user.User For more information, see Access policies.

com.ibm.security.access.policy.Context
com.ibm.security.access.policy.Cookie
com.ibm.security.access.policy.decision.ChallengeDecisionHandler
com.ibm.security.access.policy.decision.DecisionHandler
com.ibm.security.access.policy.decision.DenyDecisionHandler
com.ibm.security.access.policy.decision.Decision
com.ibm.security.access.policy.decision.DecisionType
com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler
com.ibm.security.access.policy.decision.HtmlPageDecisionHandler
com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler
com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler
com.ibm.security.access.policy.decision.RedirectDecisionHandler
com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler
com.ibm.security.access.policy.oauth20.AuthenticationContext
com.ibm.security.access.policy.oauth20.AuthenticationRequest
 com.ibm.security.access.policy.oauth20.Claim
com.ibm.security.access.policy.oauth20.ProtocolContext
com.ibm.security.access.policy.ProtocolContext
com.ibm.security.access.policy.Request
com.ibm.security.access.policy.saml20.AuthnRequest
com.ibm.security.access.policy.saml20.ProtocolContext
com.ibm.security.access.policy.saml20.RequestedAuthnContext
com.ibm.security.access.policy.Session
com.ibm.security.access.policy.user.Attribute
com.ibm.security.access.policy.user.Group
com.ibm.security.access.policy.user.User

For more information, see Access policies.

Additional classes to customize FIDO2 flows

Additional classes to customize FIDO2 flows
`com.tivoli.am.fim.fido.mediation.FIDO2Registration com.tivoli.am.fim.fido.mediation.FIDO2RegistrationHelper com.tivoli.am.fim.fido.server.FIDOClientManager com.tivoli.am.fim.fido.server.LocalFIDOClient` For more information, see FIDO2 Mediation and FIDO Client Manager

com.tivoli.am.fim.fido.mediation.FIDO2Registration
com.tivoli.am.fim.fido.mediation.FIDO2RegistrationHelper
com.tivoli.am.fim.fido.server.FIDOClientManager
com.tivoli.am.fim.fido.server.LocalFIDOClient

For more information, see FIDO2 Mediation and FIDO Client Manager

Additional classes to manage 2FA registrations

Additional classes to manage 2FA registrations
com.tivoli.am.fim.registrations.Mechanism com.tivoli.am.fim.registrations.MechanismList com.tivoli.am.fim.registrations.MechanismRegistrationHelper com.tivoli.am.fim.registrations.cloud.CloudMechanism com.tivoli.am.fim.registrations.local.FIDORegistration com.tivoli.am.fim.registrations.local.MMFARegistration com.tivoli.am.fim.registrations.local.HOTPRegistration com.tivoli.am.fim.registrations.local.TOTPRegistration com.tivoli.am.fim.registrations.local.KnowledgeQuestionRegistration com.tivoli.am.fim.registrations.local.EULAStatus com.tivoli.am.fim.registrations.local.MMFATransactionData

com.tivoli.am.fim.registrations.Mechanism
com.tivoli.am.fim.registrations.MechanismList
com.tivoli.am.fim.registrations.MechanismRegistrationHelper
com.tivoli.am.fim.registrations.cloud.CloudMechanism
com.tivoli.am.fim.registrations.local.FIDORegistration
com.tivoli.am.fim.registrations.local.MMFARegistration
com.tivoli.am.fim.registrations.local.HOTPRegistration
com.tivoli.am.fim.registrations.local.TOTPRegistration
com.tivoli.am.fim.registrations.local.KnowledgeQuestionRegistration
com.tivoli.am.fim.registrations.local.EULAStatus
 com.tivoli.am.fim.registrations.local.MMFATransactionData