PingAuthorize

Example: Add SpEL Java classes to the allowed list

When you develop policies, you can use SpEL expressions in your deployment packages. Configure the Java classes used during SpEL expression evaluation by adding classes to the allowed list.

When using embedded PDP mode, the policy engine allows use of the following classes by default.

java.lang.String
java.util.Date
java.util.UUID
java.lang.Integer
java.lang.Long
java.lang.Double
java.lang.Byte
java.lang.Math
java.lang.Boolean
java.time.LocalDate
java.time.LocalTime
java.time.LocalDateTime
java.time.ZonedDateTime
java.time.DayOfWeek
java.time.Instant
java.time.temporal.ChronoUnit
java.text.SimpleDateFormat
java.util.Collections

Use dsconfig or the administrative console to add non-standard classes to the allowed list. In the administrative console, you can find SpEL allowed classes in the Policy Decision Service configuration.

Example

The following example shows how to add the java.time.format.DateTimeFormatter and java.util.Base64 classes to the allowed list. Run dsconfig with the set-policy-decision-service-prop option.

dsconfig set-policy-decision-service-prop \
 --set spel-allowed-class:java.time.format.DateTimeFormatter \
 --set spel-allowed-class:java.util.Base64

After you add non-standard classes to the allowed list, you must make them available on the server classpath at server start.

The following example shows how to add .jar files containing the classes to the lib folder and restart the server.

cd  <paz-instance-root>
cp  <jar-file-dir>/addl-spel-classes.jar lib
bin/stop-server -R