IG 2023.11

Protect an application with IG

This section gives a simple example of how to use IG to protect an application. For many more examples of how to protect applications with IG, refer to the Gateway guide.

In the following example, a browser requests access to the sample application, and IG intercepts the request to log the user into the application. The following image shows the flow of data in the example:

  1. The browser sends an HTTP GET request to the HTTP server on ig.example.com.

  2. IG replaces the HTTP GET request with an HTTP POST login request containing credentials to authenticate.

  3. The sample application validates the credentials, and returns the page for the user demo.

    If IG did not provide the credentials, or if the sample application couldn’t validate the credentials, the sample application returns the login page.

  4. IG returns this response to the browser.

Configure IG to log you in to an application
  1. Set up IG and the sample application as described in this guide.

  2. Add the following route to IG to serve the sample application .css and other static resources:

    • Linux

    • Windows

      "name" : "00-static-resources",
      "baseURI" : "http://app.example.com:8081",
      "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}",
      "handler": "ReverseProxyHandler"
  3. Add the following route to IG:

    • Linux

    • Windows

      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
              "type": "StaticRequestFilter",
              "config": {
                "method": "POST",
                "uri": "http://app.example.com:8081/login",
                "form": {
                  "username": [
                  "password": [
          "handler": "ReverseProxyHandler"
      "condition": "${find(request.uri.path, '^/static')}"

    Notice the following features of the route:

    • The route matches requests to /static.

    • The StaticRequestFilter replaces the request with an HTTP POST, specifying the resource to post the request to, and a form to include in the request. The form includes credentials for the username demo.

    • The ReverseProxyHandler replays the request to the sample application.

  4. Check that the route system log includes a message that the new files are loaded into the config:

    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id '00-static-resources' registered with the name '00-static-resources'
    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id '01-static' registered with the name '01-static'
  5. Go to http://ig.example.com:8080/static.

    You are directed to the sample application, and logged in automatically with the username demo.

Copyright © 2010-2024 ForgeRock, all rights reserved.