====== The application still reports an error: "Groovy script did not pass safety check!" even though the script has permissions ======
It is possible that you are returning this class to another script. Check your application's log if the bug really comes from the script. Check the return statement or revise the script permissions again.
An example of a specific use-case:
A script looks like this:
import eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto;
import eu.bcvsolutions.idm.acc.exception.SynchronizationException;
import eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityFilter;
import java.util.Collections$UnmodifiableRandomAccessList;
IdmIdentityFilter filter = new IdmIdentityFilter();
filter.setExternalCode(attributeValue);
List identities = new ArrayList();
identities = identityService.find(filter, null).getContent();
if (!identities.isEmpty()) {
return identities.get(0); // this is the mistake, it returns IdmIdentityDto but should return ID
}
return null;
The error in log shows this:
2019-06-12T13:04:43.520+02:00: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:87)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:238)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:218)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getValueByMappedAttribute(DefaultSysSystemAttributeMappingService.java:635)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getUidValueFromResource(DefaultSysSystemAttributeMappingService.java:642)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$FastClassBySpringCGLIB$$507e7707.invoke()
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$EnhancerBySpringCGLIB$$29f4e3f1.getUidValueFromResource()
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.generateUID(AbstractSynchronizationExecutor.java:1800)
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.findAccount(AbstractSynchronizationExecutor.java:1763)
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.doItemSynchronization(AbstractSynchronizationExecutor.java:339)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.doItemSynchronization(DefaultSynchronizationService.java:219)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke()
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.doItemSynchronization()
at eu.bcvsolutions.idm.acc.event.processor.synchronization.SynchronizationItemProcessor.process(SynchronizationItemProcessor.java:52)
at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor.onApplicationEvent(AbstractEntityEventProcessor.java:243)
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:381)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:348)
at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:245)
at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:175)
at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$FastClassBySpringCGLIB$$1694e58f.invoke()
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$EnhancerBySpringCGLIB$$394d8489.process()
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.startItemSynchronization(AbstractSynchronizationExecutor.java:569)
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.handleIcObject(AbstractSynchronizationExecutor.java:521)
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor$DefaultResultHandler.handle(AbstractSynchronizationExecutor.java:2266)
at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService$2.handle(ConnIdIcConnectorService.java:250)
at org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:101)
at org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:262)
at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:94)
at com.sun.proxy.$Proxy359.search(Unknown Source)
at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:179)
at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.pageSearch(ConnIdIcConnectorService.java:272)
at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.search(ConnIdIcConnectorService.java:267)
at eu.bcvsolutions.idm.ic.service.impl.DefaultIcConnectorFacade.search(DefaultIcConnectorFacade.java:114)
at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.process(AbstractSynchronizationExecutor.java:256)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.startSynchronization(DefaultSynchronizationService.java:190)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke()
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.startSynchronization()
at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:65)
at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:28)
at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractLongRunningTaskExecutor.call(AbstractLongRunningTaskExecutor.java:189)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:80)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.SecurityException: Script wants to use unauthorized class: [class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto]
at eu.bcvsolutions.idm.core.security.domain.GroovySandboxFilter.filter(GroovySandboxFilter.java:123)
at org.kohsuke.groovy.sandbox.GroovyValueFilter.filterReturnValue(GroovyValueFilter.java:26)
at org.kohsuke.groovy.sandbox.GroovyValueFilter.onMethodCall(GroovyValueFilter.java:58)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:148)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:145)
at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
at Script1.run(Script1.groovy:12)
at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:79)
... 66 more
And that's even though the script has permissions for the class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto. The problem is that this script return an object from this class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto which it is not supposed to do.
To fix this, change the return statement.