Groovy scripts provide advanced rule logic that extends PingAccess rule development beyond the capabilities of the packaged rules. For more information, see the Groovy documentation.

Groovy scripts have access to important PingAccess runtime objects, such as the Exchange and PolicyContext objects, which the scripts can interrogate and modify.


Groovy script rules and OAuth Groovy script rules must end execution with a matcher instance. For more information, see Matcher usage reference.

Groovy functions treat strings literally, and matchers perform case-sensitive string evaluation unless otherwise specified. For example, in the following line of code, the caseSensitive parameter determines whether the Groovy function performs case-sensitive comparison on the value.

requestHeaderContains(Map<String, String> fieldValuesMap, boolean caseSensitive)

Groovy script rules are invoked during the request processing phase of an exchange, allowing the script to modify the request before it is sent to the server. Groovy script rules are also invoked during the response, allowing the script to modify the response before it is returned to the client.


You can’t access a mediated token through a Groovy rule because token mediation occurs after PingAccess rule processing.

The following diagram highlights the flow of rule processing.

Policy application flowchart. Requests invoke the OAuth scope rule, OAuth Groovy rule, and Groovy rule. Responses only invoke the two Groovy rules.
  1. During request processing, rules associated with the application are evaluated.
  2. The request passes through each of the rules before PingAccess allows it to proceed.
  3. The response passes through the rules in a manner based on your deployment:
    • In a proxy deployment, the response from the site passes through each of the rules.
    • In an agent deployment, the response to the agent indicating the policy approval or denial passes through each of the rules.