Fluent Security Configuration
Transact Fluent Groovy services are compiled and executed using a security configuration to protect the integrity and data security of the system.
The main components of the security system are:
- Groovy Static Compilation
- Secure Java Package Whitelist
- Illegal Token Blocking
- Class Loader Isolation
- Client Data Security Access
Groovy Static Compilation
Apache Groovy is a flexible, dynamic language that provides powerful reflection and meta data programming features. However, some of these dynamic features are not suitable for providing a secure runtime for handling PII data. Fluent Groovy services and functions are executed in the same Java process as the Transact Manager application server, which provides these functions memory access speed and extremely high performance, but also requires a very strong security model.
To utilize the great features of Apache Groovy while also providing a secure programming model and runtime, Transact Fluent Groovy services and functions are statically compiled before being executed. This enables static code analysis to ensure unsafe language features are not used, and only approved classes can be loaded. An additional benefit of this model includes native Java execution that can leverage the Java HotSpot runtime compiler for improved performance after runtime analysis.
A down-side of this approach is that some of Apache Groovy's dynamic features are not available, such as GPath expressions or Groovy meta programming features. Be aware that some of the dynamic language features documented online will not be available with the static compilation mode.
When specifying path-based expressions, use the Path
class instead of the Groovy GPath
class. The Fluent Path
class will provide you with equivalent functions and supports working with JSON, XML and POJO objects.
Secure Java Package Whitelist
The secure compiler will only allow access to Java packages contained in the approved security white list. Access to classes outside of the approved package whitelist is prohibited and will result in a compilation error when the service is executed.
If you need changes to the package whitelist, contact our Customer Care team for assistance.
Java Packages Whitelist
- com.amazonaws
- com.amazonaws.auth
- com.amazonaws.auth.policy
- com.amazonaws.auth.presign
- com.amazonaws.auth.profile
- com.amazonaws.client
- com.amazonaws.client.builder
- com.amazonaws.services.cloudtrail
- com.amazonaws.services.cloudtrail.model
- com.amazonaws.services.dynamodbv2
- com.amazonaws.services.dynamodbv2.datamodeling
- com.amazonaws.services.dynamodbv2.datamodeling.marshallers
- com.amazonaws.services.dynamodbv2.datamodeling.unmarshallers
- com.amazonaws.services.dynamodbv2.document
- com.amazonaws.services.dynamodbv2.document.api
- com.amazonaws.services.dynamodbv2.document.spec
- com.amazonaws.services.dynamodbv2.document.utils
- com.amazonaws.services.s3
- com.amazonaws.services.s3.event
- com.amazonaws.services.s3.iterable
- com.amazonaws.services.s3.model
- com.amazonaws.services.s3.transfer
- com.amazonaws.services.s3.transfer.exception
- com.amazonaws.services.s3.transfer.model
- com.amazonaws.services.securitytoken
- com.amazonaws.services.securitytoken.model
- com.amazonaws.services.securitytoken.model.transform
- com.amazonaws.services.sns
- com.amazonaws.services.sns.model
- com.amazonaws.services.sns.util
- com.amazonaws.services.sqs
- com.amazonaws.services.sqs.buffered
- com.amazonaws.services.sqs.model
- com.amazonaws.util
- com.amazonaws.util.json
- com.avoka.component.docusign
- com.avoka.component.sharepoint
- com.avoka.component.sharepoint.service
- com.avoka.component.sharepoint.type
- com.avoka.core.groovy
- com.avoka.exc.fis
- com.avoka.exc.iovation
- com.avoka.exc.plaid
- com.avoka.exc.stripe
- com.avoka.taf
- com.avoka.taf.config
- com.avoka.taf.dao
- com.avoka.taf.dao.conn
- com.avoka.taf.dao.conn.stubs
- com.avoka.taf.dao.query
- com.avoka.taf.dao.model
- com.avoka.taf.dao.svc
- com.avoka.taf.dao.util
- com.avoka.taf.narrate
- com.avoka.tm.func
- com.avoka.tm.http
- com.avoka.tm.job
- com.avoka.tm.query
- com.avoka.tm.svc
- com.avoka.tm.test
- com.avoka.tm.util
- com.avoka.tm.vo
- com.auth0.jwt
- com.auth0.jwt.pem
- com.fasterxml.jackson.dataformat.xml.annotation
- com.google.gson
- com.google.gson.annotations
- com.google.gson.reflect
- com.google.gson.stream
- com.itextpdf.text.pdf
- com.jcraft.jsch
- eu.bitwalker.useragentutils
- java.io
- java.lang
- java.math
- java.net
- java.nio
- java.nio.charset
- java.nio.file
- java.security
- java.security.acl
- java.security.cert
- java.security.interfaces
- java.security.spec
- java.sql
- java.text
- java.time
- java.time.chrono
- java.time.format
- java.time.temporal
- java.time.zone
- java.util
- java.util.jar
- java.util.logging
- java.util.prefs
- java.util.regex
- java.util.stream
- java.util.zip
- javax.crypto
- javax.crypto.interfaces
- javax.crypto.spec
- javax.mail
- javax.mail.internet
- javax.mail.util
- javax.net.ssl
- javax.security.auth
- javax.security.auth.callback
- javax.security.auth.kerberos
- javax.security.auth.login
- javax.security.auth.spi
- javax.security.auth.x500
- javax.security.cert
- javax.security.sasl
- javax.sql.rowset
- javax.sql.rowset.serial
- javax.sql.rowset.spi
- javax.servlet.http
- javax.xml
- javax.xml.bind
- javax.xml.bind.annotation
- javax.xml.bind.annotation.adapters
- javax.xml.bind.attachment
- javax.xml.bind.helpers
- javax.xml.bind.util
- javax.xml.crypto
- javax.xml.parsers
- javax.xml.soap
- javax.xml.stream
- javax.xml.transform
- javax.xml.transform.stream
- javax.xml.validation
- javax.xml.ws
- javax.xml.xpath
- groovy.json
- groovy.sql
- groovy.text
- groovy.time
- groovy.util
- groovy.util.slurpersupport
- groovy.xml
- net.sf.json
- net.sf.json.filters
- net.sf.json.groovy
- net.sf.json.processors
- net.sf.json.regexp
- net.sf.json.test
- net.sf.json.util
- net.sf.json.xml
- org.apache.commons.codec
- org.apache.commons.codec.binary
- org.apache.commons.codec.digest
- org.apache.commons.codec.language
- org.apache.commons.codec.language.bm
- org.apache.commons.codec.net
- org.apache.commons.fileupload
- org.apache.commons.io
- org.apache.commons.io.comparator
- org.apache.commons.io.filefilter
- org.apache.commons.io.input
- org.apache.commons.io.monitor
- org.apache.commons.io.output
- org.apache.commons.lang3
- org.apache.commons.lang3.builder
- org.apache.commons.lang3.concurrent
- org.apache.commons.lang3.exception
- org.apache.commons.lang3.math
- org.apache.commons.lang3.mutable
- org.apache.commons.lang3.text
- org.apache.commons.lang3.text.translate
- org.apache.commons.lang3.time
- org.apache.commons.lang3.tuple
- org.apache.commons.mail
- org.apache.http
- org.apache.http.auth
- org.apache.http.client
- org.apache.http.client.config
- org.apache.http.client.entity
- org.apache.http.client.methods
- org.apache.http.client.protocol
- org.apache.http.client.utils
- org.apache.http.conn
- org.apache.http.conn.routing
- org.apache.http.conn.socket
- org.apache.http.conn.ssl
- org.apache.http.conn.util
- org.apache.http.cookie
- org.apache.http.entity
- org.apache.http.impl.auth
- org.apache.http.impl.client
- org.apache.http.impl.conn
- org.apache.http.impl.cookie
- org.apache.http.impl.execchain
- org.apache.http.io
- org.apache.http.message
- org.apache.http.params
- org.apache.http.pool
- org.apache.http.protocol
- org.apache.http.ssl
- org.apache.http.util
- org.apache.poi.hssf.usermodel
- org.apache.poi.ss.usermodel
- org.apache.poi.xssf.usermodel
- org.apache.xerces.dom
- org.bouncycastle.apache.bzip2
- org.bouncycastle.bcpg
- org.bouncycastle.bcpg.attr
- org.bouncycastle.bcpg.sig
- org.bouncycastle.openpgp
- org.bouncycastle.openpgp.bc
- org.bouncycastle.openpgp.examples
- org.bouncycastle.openpgp.jcajce
- org.bouncycastle.openpgp.operator
- org.bouncycastle.openpgp.operator.bc
- org.bouncycastle.openpgp.operator.jcajce
- org.bouncycastle.cert
- org.bouncycastle.cert.bc
- org.bouncycastle.cert.cmp
- org.bouncycastle.cert.crmf
- org.bouncycastle.cert.crmf.bc
- org.bouncycastle.cert.crmf.jcajce
- org.bouncycastle.cert.dane
- org.bouncycastle.cert.dane.fetcher
- org.bouncycastle.cert.jcajce
- org.bouncycastle.cert.ocsp
- org.bouncycastle.cert.ocsp.jcajce
- org.bouncycastle.cert.path
- org.bouncycastle.cert.path.validations
- org.bouncycastle.cert.selector
- org.bouncycastle.cert.selector.jcajce
- org.bouncycastle.cms
- org.bouncycastle.cms.bc
- org.bouncycastle.cms.jcajce
- org.bouncycastle.dvcs
- org.bouncycastle.eac
- org.bouncycastle.eac.jcajce
- org.bouncycastle.eac.operator.jcajce
- org.bouncycastle.mozilla
- org.bouncycastle.mozilla.jcajce
- org.bouncycastle.openssl
- org.bouncycastle.openssl.bc
- org.bouncycastle.openssl.jcajce
- org.bouncycastle.operator
- org.bouncycastle.operator.bc
- org.bouncycastle.operator.jcajce
- org.bouncycastle.pkcs
- org.bouncycastle.pkcs.bc
- org.bouncycastle.pkcs.jcajce
- org.bouncycastle.pkix
- org.bouncycastle.pkix.jcajce
- org.bouncycastle.tps
- org.bouncycastle.tps.cms
- org.bouncycastle.voms
- org.bouncycastle.asn1
- org.bouncycastle.crypto
- org.bouncycastle.i18n
- org.bouncycastle.i18n.filter
- org.bouncycastle.jcajce
- org.bouncycastle.jcajce.io
- org.bouncycastle.jcajce.provider
- org.bouncycastle.jcajce.provider.asymmetric
- org.bouncycastle.jcajce.provider.asymmetric.dh
- org.bouncycastle.jcajce.provider.asymmetric.dsa
- org.bouncycastle.jcajce.provider.asymmetric.dstu
- org.bouncycastle.jcajce.provider.asymmetric.ec
- org.bouncycastle.jcajce.provider.asymmetric.ecgost
- org.bouncycastle.jcajce.provider.asymmetric.elgaml
- org.bouncycastle.jcajce.provider.asymmetric.gost
- org.bouncycastle.jcajce.provider.asymmetric.ies
- org.bouncycastle.jcajce.provider.asymmetric.rsa
- org.bouncycastle.jcajce.provider.asymmetric.util
- org.bouncycastle.jcajce.provider.asymmetric.x509
- org.bouncycastle.jcajce.provider.config
- org.bouncycastle.jcajce.provider.digest
- org.bouncycastle.jcajce.provider.keystore
- org.bouncycastle.jcajce.provider.keystore.bc
- org.bouncycastle.jcajce.provider.keystore.pkcs12
- org.bouncycastle.jcajce.provider.symmetric
- org.bouncycastle.jcajce.provider.symmetric.util
- org.bouncycastle.jcajce.provider.spec
- org.bouncycastle.jcajce.provider.util
- org.bouncycastle.jcajce.util
- org.bouncycastle.jce
- org.bouncycastle.jce.exception
- org.bouncycastle.jce.interfaces
- org.bouncycastle.jce.netscape
- org.bouncycastle.jce.provider
- org.bouncycastle.jce.spec
- org.bouncycastle.math
- org.bouncycastle.math.ec
- org.bouncycastle.math.field
- org.bouncycastle.math.raw
- org.bouncycastle.pqc
- org.bouncycastle.pqc.asn1
- org.bouncycastle.pqc.crypto
- org.bouncycastle.pqc.crypto.gmss
- org.bouncycastle.pqc.crypto.mceliece
- org.bouncycastle.pqc.crypto.rainbow
- org.bouncycastle.pqc.crypto.rainbow.util
- org.bouncycastle.pqc.jcajce
- org.bouncycastle.pqc.jcajce.provider
- org.bouncycastle.pqc.jcajce.provider.gmss
- org.bouncycastle.pqc.jcajce.provider.mceliece
- org.bouncycastle.pqc.jcajce.provider.rainbow
- org.bouncycastle.pqc.jcajce.provider.util
- org.bouncycastle.pqc.jcajce.spec
- org.bouncycastle.pqc.jcajce.math.linearalgebra
- org.bouncycastle.util
- org.bouncycastle.util.encoders
- org.bouncycastle.util.io
- org.bouncycastle.util.io.pem
- org.bouncycastle.util.test
- org.bouncycastle.util.x509
- org.bouncycastle.util.x509.extension
- org.bouncycastle.util.x509.util
- org.joda.time
- org.joda.time.base
- org.joda.time.chrono
- org.joda.time.convert
- org.joda.time.field
- org.joda.time.format
- org.joda.time.tz
- org.w3c.dom
- org.w3c.dom.bootstrap
- org.w3c.dom.events
- org.w3c.dom.ls
- org.xml.sax
- org.xml.sax.ext
- org.xml.sax.helpers
Illegal Token Blocking
In addition to the security whitelist, there are a number of illegal tokens which are not permitted in Groovy scripts. The illegal tokens are used primarily for securing the legacy Groovy Services.
caution
Avoid developing legacy Groovy Services as this runtime is deprecated and will be removed from Transact Manager 19.11 release.
Class Loader Isolation
All Fluent Groovy services and legacy Groovy Services are executed in their own isolated Java class loader. This provides execution isolation with Groovy services prevented from sharing memory with Groovy service hosting code.
Client Data Security Access
All Fluent Services and Functions are associated with a Client Organization, and executed with that Organizations data access control and cannot access data associated with other organizations.