---
title: Groovy Scripts
description: Groovy scripts provide advanced rule logic that extends PingAccess rule development beyond the capabilities of the packaged rules.
component: pingaccess
version: 9.0
page_id: pingaccess:reference_guides:pa_groovy_scripts
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/reference_guides/pa_groovy_scripts.html
revdate: February 6, 2023
section_ids:
  matchers: Matchers
  objects: Objects
  debuggingtroubleshooting: Debugging/troubleshooting
---

# Groovy Scripts

Groovy scripts provide advanced rule logic that extends PingAccess rule development beyond the capabilities of the packaged rules.

Groovy scripts have access to important PingAccess runtime objects, such as the [Exchange](pa_exchange_object_ref.html) and [PolicyContext](pa_policycontext_object_ref.html) objects, which the scripts can interrogate and modify. Groovy script rules are invoked during the request processing phase of an exchange, allowing the script to modify the request before it is sent to the server. Groovy script rules are also invoked during the response, allowing the script to modify the response before it is returned to the client. See [Groovy](pa_groovy_in_pa.html) for more information about Groovy.

|   |                                                                                                                                    |
| - | ---------------------------------------------------------------------------------------------------------------------------------- |
|   | Through Groovy scripts, PingAccess administrators can perform sensitive operations that could affect system behavior and security. |

## Matchers

Groovy scripts must end execution with a matcher instance. Matchers provide a framework for establishing declarative rule matching objects. You can use a matcher from the list of [PingAccess Matchers](pa_matcher_usage_ref.html) or from the [Hamcrest library](http://hamcrest.org/JavaHamcrest/javadoc/1.3/org/hamcrest/CoreMatchers.html).

The following are Hamcrest method examples for constructing access control policies with the web session attribute rule using evaluations such as an `OR` group membership evaluation.

* allOf

  Matches if the examined object matches all of the specified matchers. In this example, the user needs to be in both the sales and managers groups for this rule to pass.

  ```
  allOf(containsWebSessionAttribute("group","sales"), containsWebSessionAttribute("group","managers"))
  ```

* anyOf

  Matches any of the specified matchers. In this example, the rule passes if the user is in any of the specified groups.

  ```
  anyOf(containsWebSessionAttribute("group","sales"), containsWebSessionAttribute("group","managers"), containsWebSessionAttribute("group","execs"))
  ```

* not

  Inverts the logic of a matcher to not match. In this example, the rule fails if the user is in both the sales and the managers groups.

  ```
  not(allOf(containsWebSessionAttribute("group", "sales"), containsWebSessionAttribute("group", "managers")))
  ```

See [Matchers](pa_matcher_usage_ref.html) for more information.

## Objects

The following objects are available in Groovy. For more information on an object, click the link.

* [Exchange Object](pa_exchange_object_ref.html)

  Contains the HTTP request *(tooltip: \<div class="paragraph">
  \<p>A client transaction sent over HTTP to the server specifying a request method, such as GET, POST, and DELETE, to execute against a resource or resources on the server.\</p>
  \</div>)* and the HTTP response for the transaction processed by PingAccess.

* [PolicyContext Object](pa_policycontext_object_ref.html)

  Contains a map of objects needed to perform policy decisions. The contents of the map vary based on the context of the current user flow.

* [Request Object](pa_request_object_ref.html)

  Contains all information related to the HTTP request made to an application.

* [Response Object](pa_response_object_ref.html)

  Contains all information related to the site HTTP response.

* [Method Object](pa_method_object_ref.html)

  Contains the HTTP method name from the request made to an application.

* [Header Object](pa_headers_object_ref.html)

  Contains the HTTP header information from the request made to an application or the HTTP header from a Site response.

* [Body Object](pa_body_object_ref.html)

  Contains the HTTP body from the application request or the HTTP body from the site response.

* [OAuthToken Object](pa_oauth_token_object_ref.html)

  Contains the OAuth *(tooltip: \<div class="paragraph">
  \<p>A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\</p>
  \</div>)* access token and related identity attributes.

* [Logger Object](pa_logger_object_ref.html)

  Configure and view the state of logging.

* [MediaType Object](pa_mediatype_object_ref.html)

  Contains information related to the media type.

## Debugging/troubleshooting

Groovy script rules are evaluated when saved to ensure that they are syntactically valid. If a Groovy script rule fails to save, hover over the information icon to view additional information about the reason for the failure.

If a rule fails when it is run, information about the failure is added to the `<PA_HOME>/log/pingaccess.log` file.

|   |                                                                                                                                      |
| - | ------------------------------------------------------------------------------------------------------------------------------------ |
|   | Some error messages about Groovy rule failures are only logged if `DEBUG` level output is enabled for the `com.pingidentity` logger. |