Sample OGNL expressions
OGNL expressions provide the flexibility to evaluate and manipulate values. These applications include using the following expressions to determine net worth, form a single sign-on (SSO) token, verify a user’s group, retrieve a value from an HTTP request object, and check the authenticity of a client certificate..
General
In this sample expression, the value of the attribute “net-worth” is transformed first to eliminate any dollar signs or commas, then the result is evaluated to determine whether the user’s net worth falls into a “bronze,” “silver,” or “gold” category.
#result=#this.get("net-worth").toString(), #result=#result.replace("$",""), #result=#result.replace(",",""), #result < 500000 ? "bronze" : #result < 1000000 ? "silver" : "gold"
Multivalued attribute
new org.sourceid.saml20.adapter.attribute.AttributeValue( {"Blue", "Gray", "Pink"})
This expression formulates a multivalued attribute in an SSO token.
<saml:Attribute Name="clrs" ...> <saml:AttributeValue ...>Blue</saml:AttributeValue> <saml:AttributeValue ...>Gray</saml:AttributeValue> <saml:AttributeValue ...>Pink</saml:AttributeValue> </saml:Attribute>
and
{
...,
"clrs": [
"Blue",
"Gray",
"Pink"
],
...
}
In these truncated samples, clrs
is the multivalued attribute. The former is a SAML assertion through a SAML service provider (SP) connection. The latter is a JSON web token (JWT) through a WS-Federation SP connection using JWT as the token type.
Token authorization
This expression verifies whether a user is a member of the “Engineering” or “Marketing” group.
#this.get("ds.memberOf")!=null? ( ( #this.get("ds.memberOf").hasValue("CN=Eng,OU=E,DC=contoso,DC=com") && #this.get("context.VirtualServerId").toString().equals("Engineering") ) || ( #this.get("ds.memberOf").hasValue("CN=Mkt,OU=M,DC=contoso,DC=com") && #this.get("context.VirtualServerId").toString().equals("Marketing") ) ):false
The following expression extracts the domain information out of an email address (mail
) and returns true if it matches a specific domain.
#this.get("mail")!=null? ( #email=#this.get("mail").toString(), #atSign="@", #at=#mail.indexOf(#atSign), #at > 0? ( #domain=#mail.subject(#at+1), #domain.matches("(?i)example.com") ):false ):false
Line breaks are inserted to both samples for readability only. You must enter statements calling methods whose arguments are enclosed in quote on a single line. |
This sample expression returns true when the IP address of the client is within the specified CIDR range of fe80::74da:14b:76d1:eba3/128
.
#isWithinCidrRange = @com.pingidentity.sdk.CIDROperations@isInRange(#this.get("context.ClientIp"),"fe80::74da:14b:76d1:eba3/128")
The isInRange
method supports both IPv4 and IPv6 CIDR notations.
HTTP request context
You can use the following example to retrieve a value from an HTTP request object. The expression retrieves the User-Agent
HTTP header value and compares it against a value required for token authorization.
#this.get("context.HttpRequest").getObjectValue().getHeader("User-Agent").equals("somevalue")
STS client authentication context
This security token service (STS) SSL Client Certificate Chain example checks that the issuer of the client certificate matches the specified distinguished name (DN).
#this.get("context.StsSSLClientCertChain").getObjectValue()[1].getSubjectX500Principal().equals(new javax.security.auth.x500.X500Principal("CN=Ping Identity Engineering,OU=Engineering,O=Ping Identity,L=Denver,ST=CO,C=USA"))
For more information, see https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html. |