Script (basic:Script prior to V3.2.0) type allows definition of complex filtering by defining an ECMA script is a either a Mapper or a PolicyRule depending on the location. The script has define either a Policy Rule or a Mapper depending on its location
- If the script is specified within the scope of an
<AttributeRule>element then the script has to be Mapper, returning a
java.util.Set<AttributeValue>, which is added to the permit or deny list for the attribute in questione
- If the script is specified within the scope of a <PolicyRequirementRule>element then the script has to be a PolicyRule (returning a
java.lang.Boolean), whuich defines whether the rule is active or not.
Script type is defined by the
urn:mace:shibboleth:2.0:afp schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd..
Prior to release 3.2.0 the
basic:type is defined by the
urn:mace:shibboleth:2.0:afp:mf:basic schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd.
Use of that namespace is deprecated, but is supported.
Two optional attributes may be specified
The ECMA language that the script is in
|string||The name of a Spring Bean defined elsewhere. This bean will be made available to the script with the name "|
One of two child elements can be provided
|<ScriptFile>||The path of a resource (usually a file) which contains the script|
|<Script>||The script. It is usual to specify this within a CDATA|
Data available to the script
The script has the following variables available
|filterContext||AttributeFilterContext||The AttributeFilter context provides some information about the request, and a mechanism to navigate to other contexts|
The root context for the request
|attribute (Matcher Only)||Attribute|
The attribute being filtered
|custom3.2||Object||Contains whatever was provided by the |
|The Subjects associated with this authorization. Note that these will only be present if the attribute resolution has been associated with an Authentication (and so this will not work for back channel requests).|
This simple rule just adds the first value of the attribute "email" to its permit list.
No compatibility with V2 is provided..