Hello ,
We are using the Java Custom Callout from GitHub -
DinoChiesa/Apigee-CustomPolicy-EncryptedJWT.
@dchiesa1 Thanks u 
<JavaCallout continueOnError="false" enabled="true" name="Java-JWE Encrypt">
<DisplayName>Java-JWE Encrypt</DisplayName>
<Properties>
<Property name="key-encryption">RSA-OAEP-256</Property>
<Property name="content-encryption">A256GCM</Property>
<Property name="payload">{message.content}</Property>
<Property name="public-key">{extracted_public_key}</Property>
<Property name="key-id">{certInfo}</Property>
<Property name="debug">true</Property>
</Properties>
<ClassName>com.google.apigee.callouts.GenerateEncryptedJwt</ClassName>
<ResourceURL>java://xxxxx.jar</ResourceURL>
</JavaCallout>
And we encountered a functional failure triggered by a permission reference error.
Specifically, The Nimbus library used in the project utilizes GSON and Java Reflection to handle JSON conversions,
which results in the following security exception:
java.lang.RuntimePermission “accessDeclaredMembers”.
ref: https://docs.apigee.com/api-platform/reference/java-permission-reference
com.nimbusds.jose.JOSEException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at com.nimbusds.jose.JWEObject.encrypt...
I would like to ask:
- Is this specific custom policy compatible with the current Apigee X runtime environment?
- Are there any recommended workarounds or configuration changes to bypass this reflection restriction?
- It any recommend using a different approach that does not rely on accessDeclaredMembers?
Thank you.