PasswordReplayFilter
Extracts credentials from AM and replays them to a login page or to the next filter or handler in the chain. The PasswordReplayFilter does not retry failed authentication attempts.
|
The PasswordReplayFilter filter uses the AM Post Authentication Plugin
Don’t use the PasswordReplayFilter with AM authentication trees. |
Usage
{
"name": string,
"type": "PasswordReplayFilter",
"config": {
"request": object,
"loginPage": runtime expression<boolean>,
"loginPageContentMarker": pattern,
"credentials": Filter reference,
"loginPageExtractions": [ object, ... ]
}
}Properties
"request": <object>, required-
The HTTP request message that replays the credentials.
{ "request": object, "method": config expression<string>, "uri": runtime expression<string>, "version": configuration expression<string>, "entity": runtime expression<string>, "headers": map, "form": map }For information about the properties of `request`refer to Request.
The JSON object of
requestis theconfigcontent of a StaticRequestFilter. "loginPage": runtime expression<boolean>, required unlessloginPageContentMarkeris defined-
true: Direct the request to a login page, extract credentials, and replay them.false: Pass the request unchanged to the next filter or handler in the chain.The following example expression resolves to
truewhen the request is an HTTP GET, and the request URI path is/login:${find(request.uri.path, '/login') and (request.method == 'GET')} "loginPageContentMarker": pattern, required unlessloginPageis defined-
A pattern that matches when a response entity is a login page.
For an example route that uses this property, refer to Login form with password replay and cookie filters.
See also Patterns.
"credentials": Filter reference, optional-
Filter that injects credentials, making them available for replay. Consider using a
FileAttributesFilteror anSqlAttributesFilter.When this is not specified, credentials must be made available to the request by other means.
See also Filters.
"loginPageExtractions": array of <objects>, optional-
Objects to extract values from the login page entity.
{ "loginPageExtractions": [ { "name": string, "pattern": pattern }, ... ] }For an example route that uses this property, refer to Login which requires a hidden value from the login page.
The extract configuration array is a series of configuration objects. To extract multiple values, use multiple extract configuration objects. Each object has the following fields:
"name": string, required-
Name of the field where the extracted value is put.
The names are mapped into
attributes.extracted.For example, if the name is
nonce, the value can be obtained with the expression${attributes.extracted.nonce}.The name
isLoginPageis reserved to hold a boolean that indicates whether the response entity is a login page. "pattern": pattern, required-
The regular expression pattern to find in the entity.
The pattern must contain one capturing group. (If it contains more than one, only the value matching the first group is placed into
attributes.extracted.)For example, suppose the login page entity contains a nonce required to authenticate, and the nonce in the page looks like
nonce='n-0S6_WzA2Mj'. To extractn-0S6_WzA2Mj, set"pattern": " nonce='(.*)'".
Example
The following example authenticates requests using static credentials when the
request URI path is /login. This PasswordReplayFilter example does not
include any mechanism for remembering when authentication has already been
successful, it simply replays the authentication every time that the request
URI path is /login:
{
"handler": {
"type": "Chain",
"config": {
"filters": [{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${request.uri.path == '/login'}",
"request": {
"method": "POST",
"uri": "https://www.example.com:8444/login",
"form": {
"username": [
"MY_USERNAME"
],
"password": [
"MY_PASSWORD"
]
}
}
}
}],
"handler": "ReverseProxyHandler"
}
}
}For additional examples, refer to Configuration templates, and the Javadoc for the PasswordReplayFilter class.