---
title: Scripting environment
description: Advanced Identity Cloud supports scripts written in JavaScript.
component: pingoneaic
page_id: pingoneaic:am-scripting:scripting-env
canonical_url: https://docs.pingidentity.com/pingoneaic/am-scripting/scripting-env.html
keywords: ["Scripts"]
page_aliases: ["scripting-guide:scripting-env.adoc"]
section_ids:
  scripting-env-java-classes: Access Java classes
  scripting-env-legacy-scripts: Legacy scripts
  scripting-env-view-java-class-allowlist: View the Java class allowlist
  scripting-env-add-missing-java-class-allowlist: Add a missing Java class to the allowlist
  scripting-env-next-gen-scripts: Next-generation scripts
  scripting-env-supported-libraries: Supported libraries
  script-engine-thread-pool: Thread pools
---

# Scripting environment

Advanced Identity Cloud supports scripts written in JavaScript.

The scripting environment implements a scripting engine for each of the context types that are executed on the server. There are two versions of the scripting engine: [next-generation](next-generation-scripts.html) and legacy.

## Access Java classes

Scripts can only import Java classes on the allowlist. Advanced Identity Cloud defines an allowlist per script type.

### Legacy scripts

To access Java classes in a script, use the `JavaImporter`:

```javascript
var fr = JavaImporter(
    org.forgerock.openam.auth.node.api.Action,
    javax.security.auth.callback.NameCallback
);

if (callbacks.isEmpty()) {
    action = fr.Action.send(
      new fr.NameCallback("Enter Your First Name"),
      new fr.NameCallback("Enter Your Last Name")
    ).build();
} else {
    nodeState.putShared("FirstName", callbacks.get(0).getName());
    nodeState.putShared("LastName", callbacks.get(1).getName());
    action = fr.Action.goTo("true").build();
}
```

#### View the Java class allowlist

To view the Java class allowlist for a particular context type:

1. Get an access token for the appropriate realm with the appropriate scopes. Learn more in [Get an access token](../developer-docs/authenticate-to-rest-api-with-access-token.html#get-an-access-token).

2. Run the following REST command:

   ```bash
   $ curl 'https://<tenant-env-fqdn>/am/json/global-config/services/scripting/contexts/<context-value>/engineConfiguration' \(1)
   --header 'authorization: Bearer <access-token>' (2)
   {
     "_id": "engineConfiguration",
     "_rev": "-733065873",
     "propertyNamePrefix": "esv.",
     "serverTimeout": 0,
     "useSecurityManager": true,
     "maxThreads": 50,
     "coreThreads": 10,
     "whiteList": [
       "com.google.common.collect.ImmutableList",
       "…​"
     ], (3)
     "idleTimeout": 60,
     "queueSize": 10,
     "blackList": [
       "java.lang.Class",
       "…​"
     ],
     "_type": {
       "_id": "engineConfiguration",
       "name": "Scripting engine configuration",
       "collection": false
     }
   }
   ```

   |       |                                                                                                                                                                                     |
   | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **1** | Replace \<context-value> with appropriate context value for the script you are working on. Learn more about context values in [Manage scripts over REST](manage-scripts-rest.html). |
   | **2** | Replace \<access-token> with the access token.                                                                                                                                      |
   | **3** | The `whitelist` field shows all the classes currently on the allowlist.                                                                                                             |

#### Add a missing Java class to the allowlist

If required, you can request to have Java classes added to the allowlist. Learn more in [How do I get Java classes added to the allowlist in Advanced Identity Cloud for scripting purposes?](https://support.pingidentity.com/s/article/How-do-I-get-Java-classes-added-to-the-allowlist-in-Advanced-Identity-Cloud-for-scripting-purposes) in the Ping Identity Knowledge Base.

|   |                                                                                                                                                                                                                                                                                                                               |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To reduce the need to allowlist Java classes, consider migrating your scripts to use the [next-generation](next-generation-scripts.html) scripting engine, which includes enhanced built-in script bindings for accessing many common script operations and the ability to include third-party software with library scripts. |

### Next-generation scripts

To enhance security, the next-generation scripting engine doesn't support a configurable allowlist for Java classes.

Instead, check if next-generation bindings provide the functionality you need or implement the functionality as a reusable library script.

For example, use the `callbacksBuilder` binding for callback functionality:

```javascript
if (callbacks.isEmpty()) {
  // Request callbacks
  callbacksBuilder.nameCallback(
    "First Name", "First Name");
  callbacksBuilder.nameCallback(
    "Last Name", "Last Name");
} else {
  // Callbacks returned
  var firstName =
    callbacks.getNameCallbacks().get(0);
  var lastName =
    callbacks.getNameCallbacks().get(1);

  nodeState.putShared("FirstName", firstName);
  nodeState.putShared("LastName", lastName);

  action.goTo("true");
}
```

Learn more about next-generation bindings and library scripts in:

* [Migrate to next-generation scripts](next-generation-scripts.html#migrate-to-v2-steps)

* [Library scripts](library-scripts.html)

In cases where reimplementation isn't possible, you can [request](https://backstage.forgerock.com/knowledge/kb/article/a56636405) the functionality to be included as a secure script binding in a future release.

## Supported libraries

Advanced Identity Cloud uses the Mozilla Rhino JavaScript engine version 1.7.14 to run JavaScript. Rhino has limited support for ES6 / ES2015 (JavaScript version 1.7).

Learn more in [Rhino ES2015 Support](https://mozilla.github.io/rhino/compat/engines.html).

## Thread pools

![Advanced Identity Cloud scripting engines configure security and thread pools.](_images/scripting-engine-overview.png)

The scripting engine defines a thread pool for each script type.

Each script executes in an individual thread. The scripting engine allocates threads until it reaches a maximum of 50 threads per pool. When the scripting engine reaches the maximum number of threads, it queues scripts until a thread becomes available.

When a script has either completed or remained idle for more than 60 seconds, the script engine terminates the thread and makes it available to the pool.