FragmentFilter
Tracks the fragment part of a URI when a request triggers a login redirect, as follows:
-
Before authentication, the filter captures the URI fragment information and stores it in a cookie.
-
After authentication, when the request is issued again to the original URI, the filter redirects the browser to the original URI, including any URI fragment.
The full fragment capture process is described in URI fragments in redirect.
The FragmentFilter does not handle multiple fragment captures in parallel. If a fragment capture is in progress while IG performs another login redirect, a second fragment capture process is not triggered and the fragment is lost.
Use this filter with SingleSignOnFilter, CrossDomainSingleSignOnFilter, AuthorizationCodeOAuth2ClientFilter, and PolicyEnforcementFilter. This filter is not required for SAML because the final redirect is done with a DispatchHandler and a StaticResponseFilter.
Usage
{
"name": string,
"type": "FragmentFilter",
"config": {
"fragmentCaptureEndpoint": configuration expression<string>,
"noJavaScriptMessage": configuration expression<string>,
"cookie": object
}
}
"fragmentCaptureEndpoint"
: configuration expression<string>, required-
The IG endpoint used to capture the fragment form data.
Configure the endpoint to match the condition of the route in which the filter is used.
"noJavaScriptMessage"
: configuration expression<string>, optional-
A message to display on the fragment form when JavaScript is not enabled.
Default: No message
"cookie"
: object, optional-
The configuration of the cookie used to store the fragment information.
{ "name": configuration expression<string>, "domain": configuration expression<string>, "httpOnly": configuration expression<boolean>, "path": configuration expression<string>, "sameSite": configuration expression<enumeration>, "secure": configuration expression<boolean>, "maxAge": configuration expression<duration> }
"name"
: configuration expression<string>, optional-
Cookie name.
Default:
ig-fragment-cookie
"domain"
: configuration expression<string>, optional-
Domain to which the cookie applies.
Default: The fully qualified hostname of the IG host.
"httpOnly"
: configuration expression<boolean>, optional-
Flag to mitigate the risk of client-side scripts accessing protected cookies.
Default:
true
"path"
: configuration expression<string>, optional-
Path to apply to the cookie.
Default:
/
"sameSite"
: configuration expression<enumeration>, optional-
Options to manage the circumstances in which a cookie is sent to the server. Use one of the following values to reduce the risk of CSRF attacks:
-
STRICT
: Send the cookie only if the request was initiated from the cookie domain. Not case-sensitive.Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.
-
LAX
: Send the cookie only with GET requests in a first-party context, where the URL in the address bar matches the cookie domain. Not case-sensitive.Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.
-
NONE
: Send the cookie whenever a request is made to the cookie domain. Not case-sensitive.With this setting, consider setting
secure
totrue
to prevent browsers from rejecting the cookie. For more information, refer to SameSite cookies.
Default:
LAX
-
"secure"
: configuration expression<boolean>, optional-
Flag to limit the scope of the cookie to secure channels.
Default:
false
"maxAge"
: configuration expression<duration>, optional-
The maximum duration for which the FragmentFilter cookie can be valid.
When this
maxAge
is greater than the browser’s maximum internal value, the browser value takes precedence.Default: 1 hour
Example
For an example of how the FragmentFilter is used in an SSO flow, refer to URI fragments in redirect.