Skip to main content

Version: 22.10

Fluent Security Configuration

Journey Manager Fluent Groovy services are compiled and executed using a security configuration to protect the integrity and data security of the system.

The main components of the security system include:

  • Class Loader Isolation
  • Secure Java Package Whitelist
  • Groovy Static Compilation
  • Illegal Token Blocking
  • Client Data Access Security Context

Class Loader Isolation

All Fluent Groovy services and legacy Groovy Services are executed in their own isolated Java class loader. This provides execution isolation, with Groovy services prevented from sharing memory with Groovy service hosting code.

Secure Java Package Whitelist

Fluent Groovy services can only access the Java packages in the approved white list. Access to classes outside of the approved package whitelist is prohibited.

Java Packages Whitelist

  • com.amazonaws
  • com.amazonaws.auth
  • com.amazonaws.auth.policy
  • com.amazonaws.auth.presign
  • com.amazonaws.auth.profile
  • com.amazonaws.client
  • com.amazonaws.client.builder
  • com.amazonaws.services.cloudtrail
  • com.amazonaws.services.cloudtrail.model
  • com.amazonaws.services.dynamodbv2
  • com.amazonaws.services.dynamodbv2.datamodeling
  • com.amazonaws.services.dynamodbv2.datamodeling.marshallers
  • com.amazonaws.services.dynamodbv2.datamodeling.unmarshallers
  • com.amazonaws.services.dynamodbv2.document
  • com.amazonaws.services.dynamodbv2.document.api
  • com.amazonaws.services.dynamodbv2.document.spec
  • com.amazonaws.services.dynamodbv2.document.utils
  • com.amazonaws.services.s3
  • com.amazonaws.services.s3.event
  • com.amazonaws.services.s3.iterable
  • com.amazonaws.services.s3.model
  • com.amazonaws.services.s3.transfer
  • com.amazonaws.services.s3.transfer.exception
  • com.amazonaws.services.s3.transfer.model
  • com.amazonaws.services.securitytoken
  • com.amazonaws.services.securitytoken.model
  • com.amazonaws.services.securitytoken.model.transform
  • com.amazonaws.services.sns
  • com.amazonaws.services.sns.model
  • com.amazonaws.services.sns.util
  • com.amazonaws.services.sqs
  • com.amazonaws.services.sqs.buffered
  • com.amazonaws.services.sqs.model
  • com.amazonaws.util
  • com.amazonaws.util.json
  • com.avoka.component.docusign
  • com.avoka.component.sharepoint
  • com.avoka.component.sharepoint.service
  • com.avoka.component.sharepoint.type
  • com.avoka.core.groovy
  • com.avoka.exc.fis
  • com.avoka.exc.iovation
  • com.avoka.exc.plaid
  • com.avoka.exc.stripe
  • com.avoka.taf
  • com.avoka.taf.config
  • com.avoka.taf.dao
  • com.avoka.taf.dao.conn
  • com.avoka.taf.dao.conn.stubs
  • com.avoka.taf.dao.query
  • com.avoka.taf.dao.model
  • com.avoka.taf.dao.svc
  • com.avoka.taf.dao.util
  • com.avoka.taf.narrate
  • com.avoka.tm.func
  • com.avoka.tm.http
  • com.avoka.tm.job
  • com.avoka.tm.query
  • com.avoka.tm.svc
  • com.avoka.tm.test
  • com.avoka.tm.util
  • com.avoka.tm.vo
  • com.auth0.jwt
  • com.auth0.jwt.pem
  • com.fasterxml.jackson.annotation
  • com.fasterxml.jackson.core
  • com.fasterxml.jackson.core.async
  • com.fasterxml.jackson.core.base
  • com.fasterxml.jackson.core.filter
  • com.fasterxml.jackson.core.format
  • com.fasterxml.jackson.core.io
  • com.fasterxml.jackson.core.json
  • com.fasterxml.jackson.core.json.async
  • com.fasterxml.jackson.core.sym
  • com.fasterxml.jackson.core.type
  • com.fasterxml.jackson.core.util
  • com.fasterxml.jackson.databind
  • com.fasterxml.jackson.databind.annotation
  • com.fasterxml.jackson.databind.cfg
  • com.fasterxml.jackson.databind.deser
  • com.fasterxml.jackson.databind.deser.impl
  • com.fasterxml.jackson.databind.deser.std
  • com.fasterxml.jackson.databind.exc
  • com.fasterxml.jackson.databind.ext
  • com.fasterxml.jackson.databind.introspect
  • com.fasterxml.jackson.databind.jsonFormatVisitors
  • com.fasterxml.jackson.databind.jsonschema
  • com.fasterxml.jackson.databind.jsontype
  • com.fasterxml.jackson.databind.jsontype.impl
  • com.fasterxml.jackson.databind.module
  • com.fasterxml.jackson.databind.node
  • com.fasterxml.jackson.databind.ser
  • com.fasterxml.jackson.databind.ser.impl
  • com.fasterxml.jackson.databind.ser.std
  • com.fasterxml.jackson.databind.type
  • com.fasterxml.jackson.databind.util
  • com.fasterxml.jackson.dataformat.xml
  • com.fasterxml.jackson.dataformat.xml.annotation
  • com.fasterxml.jackson.dataformat.xml.deser
  • com.fasterxml.jackson.dataformat.xml.jaxb
  • com.fasterxml.jackson.dataformat.xml.ser
  • com.fasterxml.jackson.dataformat.xml.util
  • com.google.gson
  • com.google.gson.annotations
  • com.google.gson.reflect
  • com.google.gson.stream
  • com.itextpdf.text.pdf
  • com.jcraft.jsch
  • eu.bitwalker.useragentutils
  • java.io
  • java.lang
  • java.math
  • java.net
  • java.nio
  • java.nio.charset
  • java.nio.file
  • java.security
  • java.security.acl
  • java.security.cert
  • java.security.interfaces
  • java.security.spec
  • java.sql
  • java.text
  • java.time
  • java.time.chrono
  • java.time.format
  • java.time.temporal
  • java.time.zone
  • java.util
  • java.util.jar
  • java.util.logging
  • java.util.prefs
  • java.util.regex
  • java.util.stream
  • java.util.zip
  • javax.crypto
  • javax.crypto.interfaces
  • javax.crypto.spec
  • javax.mail
  • javax.mail.internet
  • javax.mail.util
  • javax.net.ssl
  • javax.security.auth
  • javax.security.auth.callback
  • javax.security.auth.kerberos
  • javax.security.auth.login
  • javax.security.auth.spi
  • javax.security.auth.x500
  • javax.security.cert
  • javax.security.sasl
  • javax.sql.rowset
  • javax.sql.rowset.serial
  • javax.sql.rowset.spi
  • javax.servlet.http
  • javax.xml
  • javax.xml.bind
  • javax.xml.bind.annotation
  • javax.xml.bind.annotation.adapters
  • javax.xml.bind.attachment
  • javax.xml.bind.helpers
  • javax.xml.bind.util
  • javax.xml.crypto
  • javax.xml.parsers
  • javax.xml.soap
  • javax.xml.stream
  • javax.xml.transform
  • javax.xml.transform.stream
  • javax.xml.validation
  • javax.xml.ws
  • javax.xml.xpath
  • groovy.json
  • groovy.sql
  • groovy.text
  • groovy.time
  • groovy.util
  • groovy.util.slurpersupport
  • groovy.xml
  • net.sf.json
  • net.sf.json.filters
  • net.sf.json.groovy
  • net.sf.json.processors
  • net.sf.json.regexp
  • net.sf.json.test
  • net.sf.json.util
  • net.sf.json.xml
  • org.apache.commons.codec
  • org.apache.commons.codec.binary
  • org.apache.commons.codec.digest
  • org.apache.commons.codec.language
  • org.apache.commons.codec.language.bm
  • org.apache.commons.codec.net
  • org.apache.commons.fileupload
  • org.apache.commons.io
  • org.apache.commons.io.comparator
  • org.apache.commons.io.filefilter
  • org.apache.commons.io.input
  • org.apache.commons.io.monitor
  • org.apache.commons.io.output
  • org.apache.commons.lang3
  • org.apache.commons.lang3.builder
  • org.apache.commons.lang3.concurrent
  • org.apache.commons.lang3.exception
  • org.apache.commons.lang3.math
  • org.apache.commons.lang3.mutable
  • org.apache.commons.lang3.text
  • org.apache.commons.lang3.text.translate
  • org.apache.commons.lang3.time
  • org.apache.commons.lang3.tuple
  • org.apache.commons.mail
  • org.apache.http
  • org.apache.http.auth
  • org.apache.http.client
  • org.apache.http.client.config
  • org.apache.http.client.entity
  • org.apache.http.client.methods
  • org.apache.http.client.protocol
  • org.apache.http.client.utils
  • org.apache.http.conn
  • org.apache.http.conn.routing
  • org.apache.http.conn.socket
  • org.apache.http.conn.ssl
  • org.apache.http.conn.util
  • org.apache.http.cookie
  • org.apache.http.entity
  • org.apache.http.impl.auth
  • org.apache.http.impl.client
  • org.apache.http.impl.conn
  • org.apache.http.impl.cookie
  • org.apache.http.impl.execchain
  • org.apache.http.io
  • org.apache.http.message
  • org.apache.http.params
  • org.apache.http.pool
  • org.apache.http.protocol
  • org.apache.http.ssl
  • org.apache.http.util
  • org.apache.poi.hssf.usermodel
  • org.apache.poi.ss.usermodel
  • org.apache.poi.xssf.usermodel
  • org.apache.shiro
  • org.apache.shiro.crypto
  • org.apache.shiro.crypto.hash
  • org.apache.shiro.crypto.hash.format
  • org.apache.shiro.util
  • org.apache.xerces.dom
  • org.bouncycastle.apache.bzip2
  • org.bouncycastle.bcpg
  • org.bouncycastle.bcpg.attr
  • org.bouncycastle.bcpg.sig
  • org.bouncycastle.openpgp
  • org.bouncycastle.openpgp.bc
  • org.bouncycastle.openpgp.examples
  • org.bouncycastle.openpgp.jcajce
  • org.bouncycastle.openpgp.operator
  • org.bouncycastle.openpgp.operator.bc
  • org.bouncycastle.openpgp.operator.jcajce
  • org.bouncycastle.cert
  • org.bouncycastle.cert.bc
  • org.bouncycastle.cert.cmp
  • org.bouncycastle.cert.crmf
  • org.bouncycastle.cert.crmf.bc
  • org.bouncycastle.cert.crmf.jcajce
  • org.bouncycastle.cert.dane
  • org.bouncycastle.cert.dane.fetcher
  • org.bouncycastle.cert.jcajce
  • org.bouncycastle.cert.ocsp
  • org.bouncycastle.cert.ocsp.jcajce
  • org.bouncycastle.cert.path
  • org.bouncycastle.cert.path.validations
  • org.bouncycastle.cert.selector
  • org.bouncycastle.cert.selector.jcajce
  • org.bouncycastle.cms
  • org.bouncycastle.cms.bc
  • org.bouncycastle.cms.jcajce
  • org.bouncycastle.dvcs
  • org.bouncycastle.eac
  • org.bouncycastle.eac.jcajce
  • org.bouncycastle.eac.operator.jcajce
  • org.bouncycastle.mozilla
  • org.bouncycastle.mozilla.jcajce
  • org.bouncycastle.openssl
  • org.bouncycastle.openssl.bc
  • org.bouncycastle.openssl.jcajce
  • org.bouncycastle.operator
  • org.bouncycastle.operator.bc
  • org.bouncycastle.operator.jcajce
  • org.bouncycastle.pkcs
  • org.bouncycastle.pkcs.bc
  • org.bouncycastle.pkcs.jcajce
  • org.bouncycastle.pkix
  • org.bouncycastle.pkix.jcajce
  • org.bouncycastle.tps
  • org.bouncycastle.tps.cms
  • org.bouncycastle.voms
  • org.bouncycastle.asn1
  • org.bouncycastle.crypto
  • org.bouncycastle.i18n
  • org.bouncycastle.i18n.filter
  • org.bouncycastle.jcajce
  • org.bouncycastle.jcajce.io
  • org.bouncycastle.jcajce.provider
  • org.bouncycastle.jcajce.provider.asymmetric
  • org.bouncycastle.jcajce.provider.asymmetric.dh
  • org.bouncycastle.jcajce.provider.asymmetric.dsa
  • org.bouncycastle.jcajce.provider.asymmetric.dstu
  • org.bouncycastle.jcajce.provider.asymmetric.ec
  • org.bouncycastle.jcajce.provider.asymmetric.ecgost
  • org.bouncycastle.jcajce.provider.asymmetric.elgaml
  • org.bouncycastle.jcajce.provider.asymmetric.gost
  • org.bouncycastle.jcajce.provider.asymmetric.ies
  • org.bouncycastle.jcajce.provider.asymmetric.rsa
  • org.bouncycastle.jcajce.provider.asymmetric.util
  • org.bouncycastle.jcajce.provider.asymmetric.x509
  • org.bouncycastle.jcajce.provider.config
  • org.bouncycastle.jcajce.provider.digest
  • org.bouncycastle.jcajce.provider.keystore
  • org.bouncycastle.jcajce.provider.keystore.bc
  • org.bouncycastle.jcajce.provider.keystore.pkcs12
  • org.bouncycastle.jcajce.provider.symmetric
  • org.bouncycastle.jcajce.provider.symmetric.util
  • org.bouncycastle.jcajce.provider.spec
  • org.bouncycastle.jcajce.provider.util
  • org.bouncycastle.jcajce.util
  • org.bouncycastle.jce
  • org.bouncycastle.jce.exception
  • org.bouncycastle.jce.interfaces
  • org.bouncycastle.jce.netscape
  • org.bouncycastle.jce.provider
  • org.bouncycastle.jce.spec
  • org.bouncycastle.math
  • org.bouncycastle.math.ec
  • org.bouncycastle.math.field
  • org.bouncycastle.math.raw
  • org.bouncycastle.pqc
  • org.bouncycastle.pqc.asn1
  • org.bouncycastle.pqc.crypto
  • org.bouncycastle.pqc.crypto.gmss
  • org.bouncycastle.pqc.crypto.mceliece
  • org.bouncycastle.pqc.crypto.rainbow
  • org.bouncycastle.pqc.crypto.rainbow.util
  • org.bouncycastle.pqc.jcajce
  • org.bouncycastle.pqc.jcajce.provider
  • org.bouncycastle.pqc.jcajce.provider.gmss
  • org.bouncycastle.pqc.jcajce.provider.mceliece
  • org.bouncycastle.pqc.jcajce.provider.rainbow
  • org.bouncycastle.pqc.jcajce.provider.util
  • org.bouncycastle.pqc.jcajce.spec
  • org.bouncycastle.pqc.jcajce.math.linearalgebra
  • org.bouncycastle.util
  • org.bouncycastle.util.encoders
  • org.bouncycastle.util.io
  • org.bouncycastle.util.io.pem
  • org.bouncycastle.util.test
  • org.bouncycastle.util.x509
  • org.bouncycastle.util.x509.extension
  • org.bouncycastle.util.x509.util
  • org.joda.time
  • org.joda.time.base
  • org.joda.time.chrono
  • org.joda.time.convert
  • org.joda.time.field
  • org.joda.time.format
  • org.joda.time.tz
  • org.supercsv.cellprocessor
  • org.supercsv.cellprocessor.constraint
  • org.supercsv.cellprocessor.ift
  • org.supercsv.comment
  • org.supercsv.encoder
  • org.supercsv.exception
  • org.supercsv.io
  • org.supercsv.prefs
  • org.supercsv.quote
  • org.supercsv.util
  • org.w3c.dom
  • org.w3c.dom.bootstrap
  • org.w3c.dom.events
  • org.w3c.dom.ls
  • org.xml.sax
  • org.xml.sax.ext
  • org.xml.sax.helpers

If you need changes to the package whitelist, contact Temenos support for assistance.

Security Error Examples

Import Not Allowed

This example shows an attempt to import a class that is not in the whitelist.

Import Not Allowed Class

Illegal Token

This examples shows an attempt to use a blacklisted token that cannot be used in a service.

Import Illegal Token

Groovy Static Compilation

To enforce the security policies, Fluent Groovy services are compiled statically. In addition to providing a much stronger security model, statically compiled Groovy services also execute at near native Java speed. However, compiled Groovy services cannot use some of Groovy's dynamic language features such as GPath expressions or Groovy meta programming features.

Instead of using Groovy GPath expressions use the Path class which provides equivalent capabilities.