PingAuthorize

Configuring SpEL Java classes for value processing

When you develop policies, you can use value processing to manipulate data that comes from attributes and services. One value processing option is to use the Spring Expression Language (SpEL). Because SpEL is so powerful, you might want to configure the Java classes available through SpEL to limit what users can do with it.

About this task

Use the optional AttributeProcessing.SpEL.AllowedClasses parameter in the core section of the options file to limit the Java classes available through SpEL.

These instructions are for configuring SpEL Java classes for use in the Policy Editor. When using embedded PDP mode, you must add Java classes to the SpEL Allowed Class list to use them in deployment packages. See Adding SpEL Java classes to the allowed list.

Steps

  1. Make a copy of the default options file.

    Example:

    $ cp config/options.yml my-options.yml
  2. Edit the new options file and define AttributeProcessing.SpEL.AllowedClasses in the core section.

    By default, the AttributeProcessing.SpEL.AllowedClasses parameter is not in the options file.

    If AttributeProcessing.SpEL.AllowedClasses is not in the options file, all classes except those in the fixed deny-list are available. The deny-list consists of classes in these packages:

    java.lang.*
    org.springframework.expression.spel.*

    The java.lang.* classes in deny-list exclude those in the allow-list defined next.

    If AttributeProcessing.SpEL.AllowedClasses is in the options file without a value, only classes in the fixed allow-list are available. The allow-list consists of these classes:

    java.lang.String
    java.util.Date
    java.util.UUID
    java.lang.Integer
    java.lang.Long
    java.lang.Double
    java.lang.Byte
    java.lang.Math
    java.lang.Boolean
    java.time.LocalDate
    java.time.LocalTime
    java.time.LocalDateTime
    java.time.ZonedDateTime
    java.time.DayOfWeek
    java.time.Instant
    java.time.temporal.ChronoUnit
    java.text.SimpleDateFormat
    java.util.Collections
    com.symphonicsoft.spelfunctions.RequestUtilsKt

    If AttributeProcessing.SpEL.AllowedClasses is in the options file with a value, all classes in allow-list and in the value are available. Consider the following example.

    ...
    core:
      AttributeProcessing.SpEL.AllowedClasses: "java.time.format.DateTimeFormatter,java.net.URLEncoder"
    ...

    That setting makes the classes in allow-list available in addition to making the DataTimeFormatter and URLEncoder classes available.

  3. Stop the Policy Editor.

    $ bin/stop-server
  4. Run setup using the --optionsFile argument, and then customize all other options as appropriate for your needs.

    Example:

    $ bin/setup demo \
     --adminUsername admin \
     --generateSelfSignedCertificate \
     --decisionPointSharedSecret <shared-secret> \
     --hostname <pap-hostname> \
     --port <pap-port> \
     --adminPort  <admin-port>  \
     --licenseKeyFile <path-to-license> \
     --optionsFile my-options.yml
  5. Start the Policy Editor.

    Example:

    $ bin/start-server