PingAccess

Groovy script examples

The following examples show possible uses for Groovy scripts.

OAuth Policy context example

In some instances, it might be necessary to transmit identity information to sites to provide details of the user attempting to access a site. In such instances, Groovy scripts can be used to inject identity information into various portions of the HTTP request to the target.

In this example, the site is expecting the identity of the user to be conveyed through the User HTTP header. You can accomplish this using the OAuth Groovy script rule and the following Groovy script:

user=policyCtx?.context.get("oauth_token")?.attributes?.get("user")?.get(0)
exc?.request?.header?.add("User", "$user")
pass()
More complex Groovy script logic
test = exc?.request?.header?.getFirstValue("test");
if(test != null && test.equals("foo"))
{
  //rule will fail evaluation if Test header has value 'foo'
  fail()
}
else
{
  //rule will pass evaluation is Test header has value of anything else
  //or isn't present
  pass()
}
Set an exchange property named com.pingidentity.policy.error.info

This value will be available for the $info variable in error templates when an error is encountered. The $info variable can be set by a Groovy Script rule or an OAuth Groovy script rule.

exc?.setProperty("com.pingidentity.policy.error.info", "this value will be passed to the template in $info variable")
not(anything())
Create a whitelisting rule for certain characters
if (!exc?.request?.uri?.matches("[\\p{Po}\\p{N}\\p{Z}\\p{L}\\p{M}\\p{Zs}\\./_\\-\\()\\{\\}\\[\\]]*"))
 {
  fail()
 }
 else
 {
  pass()
 }
Add a cookie to the response
// Construct the cookie value
value = "cookie-value"
cookieHeaderFieldValue = "ResponseTestCookie=${value}; Path=/"

// Add the cookie on to the response
exc?.response?.header?.add("Set-Cookie", cookieHeaderFieldValue)

pass()
Combine an AND and OR, invoking an existing rule matcher
if ((anyOf(containsWebSessionAttribute("engineering", "true"), containsWebSessionAttribute("marketing", "true")) && (containsWebSessionAttribute("manager", "true")))
{pass()
}
else{
fail()
}