Netiq Access Manager: Using java functions inside Virtual Attributes for complex modifications


Access Manager has virtual attributes, which can help you modify or transform user attributes at runtime. The primary way of providing the required modification to Access Manager is through JavaScript functions.

For various complex scenarios, writing a JavaScript is not easy.  The solution may require you to write advanced JavaScript using external JavaScript libraries. Currently, external JavaScript, jQuery, angular libraries etc. are not supported in Virtual attributes.

However, there is another easy way of writing such complex logic through JAVA functions. We can call java functions from JavaScript. We can either write java classes manually or use external java libraries directly from our virtual attribute's  JavaScript functions. Let’s try it out these scenarios with some examples.


Scenario 1 – We want to calculate the SHA 256 hash of a user’s LDAP attribute using a salt. Assume that salt is also an LDAP attribute of the user.

Solution –

  • Create a java class “” under “testProj” package.
  • Make a function getHash(String input, String salt) in this class that calculates the hash of input string using the provided salt.
  • Compile this class and put it under following paths with the proper package structure.

           IDP : /opt/novell/nids/lib/webapp/WEB-INF/classes

           Admin console  : /var/opt/novell/iManager/nps/WEB-INF/classes

For our current scenario create a folder testProj under classes folder and keep this complied “Hashing” class under that.

  • Restart IDP and Admin console.
  • Create a virtual attribute with P1 and P2 as input. Map P1 and P2 to appropriate user LDAP attributes. P1 will act as the input whose hash needs to be found out and P2 will be the salt.

For modification function, select advanced JavaScript and write below lines

function main(P1,P2)


    var hashLib= Java.type('testProj.Hashing');

    var vaHashLib = new hashLib();

    return  vaHashLib.getHash(P1,P2);


Here we are calling testProj.Hashing class’s getHash() function and passing user attributes P1 and P2 to it . You can test the virtual attribute as below:



After testing, save Virtual attribute and update IDP.

Please find the Java class used above in the attachment section of this cool solution.



Scenario 2 :

Some function from external java library is required in virtual attributes for modifications.


Place the external library under following location and restart the IDP and Admin console service.

IDP : /opt/novell/nids/lib/webapp/WEB-INF/lib

Admin console  : /var/opt/novell/iManager/nps/WEB-INF/lib

You can use the above javascript again and just call the right class with full package name and call appropriate Function like below. Please note that here we are not creating any class manually. We are directly calling a function of some external library directly in Virtual attribute for our use.

function main(P1,P2)


    var extLib= Java.type(‘<class name with full package name’);

    var vaExtLib = new extLib();

    return  vaExtLib.<function name in the class> (<parameters>);




(For more information on Virtual attributes please check /cyberres/accmgmt/accessmanager/w/access_manager_tips/25980/user-attribute-transformations-in-access-manager-4-2-virtual-attributes)


How To-Best Practice
Comment List