JavaScript whitelist

Advanced Access Control JavaScript mapping rules and Federation mapping rules call Java™ code from JavaScript. The set of classes that can be called is restricted.

Exercise reasonable caution when you call Java code from JavaScript rules to ensure that accidental damage to appliance resources is avoided.

Common classes allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP, federation mapping rules, and access policies.

Common classes allowed in one-time password, OAuth or API protection, dynamic attributes, and JavaScript PIP, federation mapping rules, and access policies.
`java.lang.Boolean java.lang.Byte java.lang.Character java.lang.Class java.lang.Double java.lang.Float java.lang.Integer java.lang.Long java.lang.reflect.Array java.lang.Short java.lang.String java.lang.System` `java.io.ByteArrayInputStream java.io.ObjectInputStream java.io.PrintStream` `java.math.BigDecimal` `java.util.ArrayList java.util.Base64 java.util.Base64$Decoder java.util.Base64$Encoder java.util.Date java.util.HashSet java.util.HashMap java.util.Iterator java.util.List java.util.Map java.util.Set java.util.UUID` com.ibm.security.access.httpclient.HttpClient com.ibm.security.access.httpclient.HttpResponse com.ibm.security.access.httpclient.Headers com.ibm.security.access.httpclient.Parameters com.ibm.security.access.scimclient.ScimClient com.ibm.security.access.scimcleint.ScimConfig com.ibm.security.access.ciclient.CiClient com.tivoli.am.rba.attributes.AttributeIdentifier com.tivoli.am.rba.extensions.RBAExtensions com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter com.tivoli.am.rba.extensions.Attribute$Category com.tivoli.am.rba.extensions.Attribute$DataType com.tivoli.am.rba.extensions.Attribute com.tivoli.am.rba.extensions.PluginUtils Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following methods in `java.util.HashMap`: `Collection<V> values()` `Set<K> keySet()` `Set<Map.Entry<K,V>> entrySet()` For more information about dynamic attributes, see Dynamic attributes. For information about federation mapping rules, see Mapping rules.


java.lang.Boolean
java.lang.Byte
java.lang.Character
java.lang.Class
java.lang.Double
java.lang.Float
java.lang.Integer
java.lang.Long
java.lang.reflect.Array
java.lang.Short
java.lang.String
java.lang.System


java.io.ByteArrayInputStream
java.io.ObjectInputStream
java.io.PrintStream

java.math.BigDecimal


java.util.ArrayList **
java.util.Base64
java.util.Base64$Decoder
java.util.Base64$Encoder
java.util.Date
java.util.HashSet **
java.util.HashMap **
java.util.Iterator
java.util.List
java.util.Map
java.util.Set        
java.util.UUID

com.ibm.security.access.httpclient.HttpClient
com.ibm.security.access.httpclient.HttpResponse
com.ibm.security.access.httpclient.Headers
com.ibm.security.access.httpclient.Parameters
com.ibm.security.access.scimclient.ScimClient
com.ibm.security.access.scimcleint.ScimConfig
com.ibm.security.access.ciclient.CiClient
com.tivoli.am.rba.attributes.AttributeIdentifier
com.tivoli.am.rba.extensions.RBAExtensions
com.tivoli.am.rba.fingerprinting.ValueContainerIdentifierAdapter
com.tivoli.am.rba.extensions.Attribute$Category
com.tivoli.am.rba.extensions.Attribute$DataType
com.tivoli.am.rba.extensions.Attribute
com.tivoli.am.rba.extensions.PluginUtils

** Inner classes for these classes are not supported. Methods that involve an inner class implementation of an interface are not available. For example, do not use the following methods in java.util.HashMap:

Collection<V> values()
Set<K> keySet()
Set<Map.Entry<K,V>> entrySet()

For more information about dynamic attributes, see Dynamic attributes.

For information about federation mapping rules, see Mapping rules.

Additional classes allowed in one-time password, OAuth or API protection mapping rules, federation mapping rules, and access policies

Additional classes allowed in one-time password, OAuth or API protection mapping rules, federation mapping rules, and access policies
com.tivoli.am.fim.base64.BASE64Utility com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper com.tivoli.am.fim.trustserver.sts.oauth20.Client com.tivoli.am.fim.trustserver.sts.oauth20.Grant com.tivoli.am.fim.trustserver.sts.oauth20.Token com.tivoli.am.fim.trustserver.sts.STSModuleException com.tivoli.am.fim.trustserver.sts.STSUniversalUser * com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim com.tivoli.am.fim.trustserver.sts.utilities.MMFAMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper com.tivoli.am.fim.trustserver.sts.uuser.Attribute * com.tivoli.am.fim.trustserver.sts.uuser.AttributeList * com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement * com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes * com.tivoli.am.fim.trustserver.sts.uuser.Group * com.tivoli.am.fim.trustserver.sts.uuser.Principal * com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken * com.tivoli.am.fim.trustserver.sts.uuser.Subject * com.tivoli.am.fim.utils.IteratorWrapper com.tivoli.am.rba.pip.JavaScriptPIP com.tivoli.am.rba.pip.JavaScriptPIP$Context java.mail.internet.InternetAddress * The white list does not contain any implementation of the interfaces that are defined in the `org.w3c.dom` package. For example, you cannot use the method `org.w3c.dom.Document toXML()` in `com.tivoli.am.fim.trustserver.sts.STSUniversalUser`.

com.tivoli.am.fim.base64.BASE64Utility
com.tivoli.am.fim.trustserver.sts.modules.http.stsclient.STSClientHelper 
com.tivoli.am.fim.trustserver.sts.oauth20.Client
com.tivoli.am.fim.trustserver.sts.oauth20.Grant
com.tivoli.am.fim.trustserver.sts.oauth20.Token
com.tivoli.am.fim.trustserver.sts.STSModuleException
com.tivoli.am.fim.trustserver.sts.STSUniversalUser *
com.tivoli.am.fim.trustserver.sts.utilities.HttpResponse
com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtCacheDMAPImpl
com.tivoli.am.fim.trustserver.sts.utilities.InfoCardClaim
com.tivoli.am.fim.trustserver.sts.utilities.MMFAMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils
com.tivoli.am.fim.trustserver.sts.utilities.QueryServiceAttribute
com.tivoli.am.fim.trustserver.sts.utilities.USCContextAttributesHelper
com.tivoli.am.fim.trustserver.sts.uuser.Attribute *
com.tivoli.am.fim.trustserver.sts.uuser.AttributeList *
com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement *
com.tivoli.am.fim.trustserver.sts.uuser.ContextAttributes *
com.tivoli.am.fim.trustserver.sts.uuser.Group *
com.tivoli.am.fim.trustserver.sts.uuser.Principal *
com.tivoli.am.fim.trustserver.sts.uuser.RequestSecurityToken *
com.tivoli.am.fim.trustserver.sts.uuser.Subject *
com.tivoli.am.fim.utils.IteratorWrapper
com.tivoli.am.rba.pip.JavaScriptPIP
com.tivoli.am.rba.pip.JavaScriptPIP$Context
java.mail.internet.InternetAddress

* The white list does not contain any implementation of the interfaces that are defined in the org.w3c.dom package. For example, you cannot use the method org.w3c.dom.Document toXML() in com.tivoli.am.fim.trustserver.sts.STSUniversalUser.

Additional classes allowed in JavaScript PIP

Additional classes allowed in JavaScript PIP
`com.tivoli.am.fim.base64.BASE64Utility com.tivoli.am.rba.pip.JavaScriptPIP com.tivoli.am.rba.pip.JavaScriptPIP$Context com.tivoli.am.rba.rtss.AttributeLocatorImpl` For more information about policy information points, see Managing policy information points.

com.tivoli.am.fim.base64.BASE64Utility
com.tivoli.am.rba.pip.JavaScriptPIP
com.tivoli.am.rba.pip.JavaScriptPIP$Context 
com.tivoli.am.rba.rtss.AttributeLocatorImpl

For more information about policy information points, see Managing policy information points.

Additional classes allowed in mapping rules

Additional classes allowed in mapping rules
`packages.com.ibm.security.access.user.UserLookupHelper packages.com.ibm.security.access.user.User` For information on mapping rules, see: Managing OAuth 2.0 and OIDC mapping rules Managing mapping rules

packages.com.ibm.security.access.user.UserLookupHelper
packages.com.ibm.security.access.user.User

For information on mapping rules, see:

Additional classes to manage server connections

Additional classes to manage server connections
`com.ibm.security.access.server_connections.LdapServerConnection com.ibm.security.access.server_connections.LdapServerConnection$LdapHost com.ibm.security.access.server_connections.ServerConnection com.ibm.security.access.server_connections.ServerConnectionFactory com.ibm.security.access.server_connections.SmtpServerConnection com.ibm.security.access.server_connections.WebServerConnection com.ibm.security.access.server_connections.CiServerConnection` For more information, see Managing server connections.


com.ibm.security.access.server_connections.LdapServerConnection
com.ibm.security.access.server_connections.LdapServerConnection$LdapHost
com.ibm.security.access.server_connections.ServerConnection
com.ibm.security.access.server_connections.ServerConnectionFactory
com.ibm.security.access.server_connections.SmtpServerConnection
com.ibm.security.access.server_connections.WebServerConnection
com.ibm.security.access.server_connections.CiServerConnection

For more information, see Managing server connections.

Classes to use with InfoMap

Classes to use with InfoMap
`com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapResult com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapString` For more information, see Configuring an Info Map authentication mechanism.

com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapResult
com.tivoli.am.fim.authsvc.action.authenticator.infomap.InfoMapString

For more information, see Configuring an Info Map authentication mechanism.

Classes to use in Access Policies

Classes to use in Access Policies
com.ibm.security.access.policy.Context com.ibm.security.access.policy.Cookie com.ibm.security.access.policy.decision.ChallengeDecisionHandler com.ibm.security.access.policy.decision.DecisionHandler com.ibm.security.access.policy.decision.DenyDecisionHandler com.ibm.security.access.policy.decision.Decision com.ibm.security.access.policy.decision.DecisionType com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler com.ibm.security.access.policy.decision.HtmlPageDecisionHandler com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler com.ibm.security.access.policy.decision.RedirectDecisionHandler com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler com.ibm.security.access.policy.oauth20.AuthenticationContext com.ibm.security.access.policy.oauth20.AuthenticationRequest com.ibm.security.access.policy.oauth20.ProtocolContext com.ibm.security.access.policy.ProtocolContext com.ibm.security.access.policy.Request com.ibm.security.access.policy.saml20.AuthnRequest com.ibm.security.access.policy.saml20.ProtocolContext com.ibm.security.access.policy.saml20.RequestedAuthnContext com.ibm.security.access.policy.Session com.ibm.security.access.policy.user.Attribute com.ibm.security.access.policy.user.Group com.ibm.security.access.policy.user.User For more information, see Access policies.

com.ibm.security.access.policy.Context
com.ibm.security.access.policy.Cookie
com.ibm.security.access.policy.decision.ChallengeDecisionHandler
com.ibm.security.access.policy.decision.DecisionHandler
com.ibm.security.access.policy.decision.DenyDecisionHandler
com.ibm.security.access.policy.decision.Decision
com.ibm.security.access.policy.decision.DecisionType
com.ibm.security.access.policy.decision.HtmlPageChallengeDecisionHandler
com.ibm.security.access.policy.decision.HtmlPageDecisionHandler
com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler
com.ibm.security.access.policy.decision.RedirectChallengeDecisionHandler
com.ibm.security.access.policy.decision.RedirectDecisionHandler
com.ibm.security.access.policy.decision.RedirectDenyDecisionHandler
com.ibm.security.access.policy.oauth20.AuthenticationContext
com.ibm.security.access.policy.oauth20.AuthenticationRequest
com.ibm.security.access.policy.oauth20.ProtocolContext
com.ibm.security.access.policy.ProtocolContext
com.ibm.security.access.policy.Request
com.ibm.security.access.policy.saml20.AuthnRequest
com.ibm.security.access.policy.saml20.ProtocolContext
com.ibm.security.access.policy.saml20.RequestedAuthnContext
com.ibm.security.access.policy.Session
com.ibm.security.access.policy.user.Attribute
com.ibm.security.access.policy.user.Group
com.ibm.security.access.policy.user.User

For more information, see Access policies.