IG 2023.6

Protecting an application with IG

This section gives a simple example of how to use IG to protect an application. For many more examples of how to protect applications with IG, refer to the Gateway guide.

In the following example, a browser requests access to the sample application, and IG intercepts the request to log the user into the application. The following image shows the flow of data in the example:

hard-coded-login
  1. The browser sends an HTTP GET request to the HTTP server on ig.example.com.

  2. IG replaces the HTTP GET request with an HTTP POST login request containing credentials to authenticate.

  3. The sample application validates the credentials, and returns the page for the user demo.

    If IG did not provide the credentials, or if the sample application couldn’t validate the credentials, the sample application returns the login page.

  4. IG returns this response to the browser.

Configure IG to log you in to an application
  1. Set up IG as described in Downloading, starting, and stopping IG, and the sample application as described in Using the sample application.

  2. Add the following route to serve static resources, such as .css, for the sample application:

    • Linux

    • Windows

    $HOME/.openig/config/routes/static-resources.json
    appdata\OpenIG\config\routes\static-resources.json
    {
      "name" : "sampleapp-resources",
      "baseURI" : "http://app.example.com:8081",
      "condition": "${find(request.uri.path,'^/css')}",
      "handler": "ReverseProxyHandler"
    }
  3. Add the following route to IG:

    • Linux

    • Windows

    $HOME/.openig/config/routes/01-static.json
    appdata\OpenIG\config\routes\01-static.json
    {
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "type": "StaticRequestFilter",
              "config": {
                "method": "POST",
                "uri": "http://app.example.com:8081/login",
                "form": {
                  "username": [
                    "demo"
                  ],
                  "password": [
                    "Ch4ng31t"
                  ]
                }
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      },
      "condition": "${find(request.uri.path, '^/static')}"
    }

    Notice the following features of the route:

    • The route matches requests to /static.

    • The StaticRequestFilter replaces the request with an HTTP POST, specifying the resource to post the request to, and a form to include in the request. The form includes credentials for the username demo.

    • The ReverseProxyHandler replays the request to the sample application.

  4. Check that the route system log includes a message that the new files are loaded into the config:

    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id 'static-resources' registered with the name 'static-resources'
    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id '01-static' registered with the name '01-static'
  5. Go to http://ig.example.com:8080/static.

    You are directed to the sample application, and logged in automatically with the username demo.

Copyright © 2010-2023 ForgeRock, all rights reserved.