Try executing this pipeline:

def o = readJSON text: '{"foo": "bar"}'

for (entry in o) {
    echo entry.class.toString()
    echo "$entry.key -> $entry.value"
}

The output is:

class org.apache.commons.collections.map.ListOrderedMap$ListOrderedMapEntry
Scripts not permitted to use method org.apache.commons.collections.KeyValue getKey. Administrators can decide whether to approve or reject this signature.

The reason for that is that readJSON returns a net.sf.json.JSONObject, whose entry class is org.apache.commons.collections.map.ListOrderedMap.ListOrderedMapEntry, which implements org.apache.commons.collections.KeyValue, whose members are not whitelisted.

It would be nice if you could do at least one of these:

1. Whitelist org.apache.commons.collections.KeyValue getKey and getValue.
2. Make it so that the existing whitelist entries for java.util.Map.Entry getKey and getValue also apply to org.apache.commons.collections.map.ListOrderedMap.ListOrderedMapEntry, which does implement java.utils.Map.Entry as well.