PingAuthorize

Configuring SpEL Java classes for value processing

When you develop policies, you can use value processing to manipulate data that comes from attributes and services. One value processing option is to use the Spring Expression Language (SpEL). Because SpEL is so powerful, you might want to configure the Java classes available through SpEL to limit what users can do with it.

About this task

Use the optional AttributeProcessing.SpEL.AllowedClasses parameter in the core section of the options file to limit the Java classes available through SpEL.

These instructions are for configuring SpEL Java classes for use in the Policy Editor. When using embedded PDP mode, you must add Java classes to the SpEL Allowed Class list to use them in deployment packages. See Adding SpEL Java classes to the allowed list.

Steps

  1. Make a copy of the default options file.

    Example:

    $ cp config/options.yml my-options.yml

  2. Edit the new options file and define AttributeProcessing.SpEL.AllowedClasses in the core section.

    By default, the AttributeProcessing.SpEL.AllowedClasses parameter is not in the options file.

    If AttributeProcessing.SpEL.AllowedClasses is not in the options file, all classes except those in the fixed deny-list are available. The deny-list consists of classes in these packages:

    java.lang.*
org.springframework.expression.spel.*

    The java.lang.* classes in deny-list exclude those in the allow-list defined next.

    If AttributeProcessing.SpEL.AllowedClasses is in the options file without a value, only classes in the fixed allow-list are available. The allow-list consists of these classes:

    java.lang.String
java.util.Date
java.util.UUID
java.lang.Integer
java.lang.Long
java.lang.Double
java.lang.Byte
java.lang.Math
java.lang.Boolean
java.time.LocalDate
java.time.LocalTime
java.time.LocalDateTime
java.time.ZonedDateTime
java.time.DayOfWeek
java.time.Instant
java.time.temporal.ChronoUnit
java.text.SimpleDateFormat
java.util.Collections
com.symphonicsoft.spelfunctions.RequestUtilsKt

    If AttributeProcessing.SpEL.AllowedClasses is in the options file with a value, all classes in allow-list and in the value are available. Consider the following example.

    ...
core:
  AttributeProcessing.SpEL.AllowedClasses: "java.time.format.DateTimeFormatter,java.net.URLEncoder"
...

    That setting makes the classes in allow-list available in addition to making the DataTimeFormatter and URLEncoder classes available.

  3. Stop the Policy Editor.

    $ bin/stop-server

  4. Run setup using the --optionsFile argument, and then customize all other options as appropriate for your needs.

    Example:

    $ bin/setup demo \
 --adminUsername admin \
 --generateSelfSignedCertificate \
 --decisionPointSharedSecret <shared-secret> \
 --hostname <pap-hostname> \
 --port <pap-port> \
 --adminPort  <admin-port>  \
 --licenseKeyFile <path-to-license> \
 --optionsFile my-options.yml

  5. Start the Policy Editor.

    Example:

    $ bin/start-server