Configuring SpEL Java classes for value processing - PingAuthorize

Configuring SpEL Java classes for value processing - PingAuthorize - 8.3

PingAuthorize

bundle

pingauthorize-83

ft:publication_title

PingAuthorize

Product_Version_ce

PingAuthorize 8.3

category

Product

paz-83

pingauthorize

ContentType_ce

Page created: 9 Feb 2021 |

Page updated: 15 Oct 2021

| 2 min read

PingAuthorize 8.3 Product Configuration User task Product documentation Content Type

When you develop policies, you can use value processing to manipulate data that comes from attributes and services. One value processing option is to use the Spring Expression Language (SpEL). Because SpEL is so powerful, you might want to configure the Java classes available through SpEL to limit what users can do with it.

Use the optional AttributeProcessing.SpEL.AllowedClasses parameter in the core section of the options file to limit the Java classes available through SpEL.

Make a copy of the default options file.
```
$ cp config/options.yml my-options.yml
```
Edit the new options file and define AttributeProcessing.SpEL.AllowedClasses in the core section.
By default, the AttributeProcessing.SpEL.AllowedClasses parameter is not in the options file.
If AttributeProcessing.SpEL.AllowedClasses is not in the options file, all classes except those in the fixed deny-list are available. The deny-list consists of these classes:
```
"java.lang.*"
"org.springframework.expression.spel.*" 
```
Note: The java.lang.* classes in deny-list exclude those in the allow-list defined next.
If AttributeProcessing.SpEL.AllowedClasses is in the options file without a value, only classes in the fixed allow-list are available. The allow-list consists of these classes:
```
java.lang.String,
java.util.Date,
java.util.UUID,
java.lang.Integer,
java.lang.Long,
java.lang.Double,
java.lang.Byte,
java.lang.Math,
java.lang.Boolean,
java.time.LocalDate,
java.time.LocalTime,
java.time.LocalDateTime,
java.time.ZonedDateTime,
java.time.DayOfWeek,
java.time.Instant,
java.time.temporal.ChronoUnit,
java.text.SimpleDateFormat,
java.util.Collections,
com.symphonicsoft.spelfunctions.RequestUtilsKt
```
If AttributeProcessing.SpEL.AllowedClasses is in the options file with a value, all classes in allow-list and in the value are available. Consider the following example.
```
...
core:
  AttributeProcessing.SpEL.AllowedClasses: "java.time.format.DateTimeFormatter,java.net.URLEncoder"
...
```
That setting makes the classes in allow-list available in addition to making the DataTimeFormatter and URLEncoder classes available.
Stop the Policy Editor.
```
$ bin/stop-server
```

Run setup using the --optionsFile argument, and then customize all other options as appropriate for your needs.

$ bin/setup demo \
 --adminUsername admin \
 --generateSelfSignedCertificate \
 --decisionPointSharedSecret <shared-secret> \
 --hostname <pap-hostname> \
 --port <pap-port> \
 --adminPort <admin-port> \
 --licenseKeyFile <path-to-license> \
 --optionsFile my-options.yml

Start the Policy Editor.
```
$ bin/start-server
```