PingGateway 2024.6

Protect an application with PingGateway

This section gives a simple example of how to use PingGateway to protect an application. For many more examples of how to protect applications with PingGateway, refer to the Gateway guide.

In the following example, a browser requests access to the sample application, and PingGateway intercepts the request to log the user into the application. The following image shows the flow of data in the example:

hard-coded-login

  1. The browser sends an HTTP GET request to the HTTP server on ig.example.com.

  2. PingGateway replaces the HTTP GET request with an HTTP POST login request containing credentials to authenticate.

  3. The sample application validates the credentials, and returns the page for the user demo.

    If PingGateway did not provide the credentials, or if the sample application couldn’t validate the credentials, the sample application returns the login page.

  4. PingGateway returns this response to the browser.

Configure PingGateway to log you in to an application

  1. Set up PingGateway and the sample application as described in this guide.

  2. Add the following route to PingGateway to serve the sample application .css and other static resources:

    • Linux

    • Windows

    $HOME/.openig/config/routes/00-static-resources.json
    appdata\OpenIG\config\routes\00-static-resources.json
    {
  "name" : "00-static-resources",
  "baseURI" : "http://app.example.com:8081",
  "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}",
  "handler": "ReverseProxyHandler"
}

  3. Add the following route to PingGateway:

    • Linux

    • Windows

    $HOME/.openig/config/routes/01-static.json
    appdata\OpenIG\config\routes\01-static.json
    {
  "handler": {
    "type": "Chain",
    "config": {
      "filters": [
        {
          "type": "StaticRequestFilter",
          "config": {
            "method": "POST",
            "uri": "http://app.example.com:8081/login",
            "form": {
              "username": [
                "demo"
              ],
              "password": [
                "Ch4ng31t"
              ]
            }
          }
        }
      ],
      "handler": "ReverseProxyHandler"
    }
  },
  "condition": "${find(request.uri.path, '^/static')}"
}

    Notice the following features of the route:

    • The route matches requests to /static.

    • The StaticRequestFilter replaces the request with an HTTP POST, specifying the resource to post the request to, and a form to include in the request. The form includes credentials for the username demo.

    • The ReverseProxyHandler replays the request to the sample application.

  4. Check that the route system log includes a message that the new files are loaded into the config:

    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id '00-static-resources' registered with the name '00-static-resources'
INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id '01-static' registered with the name '01-static'

  5. Go to http://ig.example.com:8080/static.

    You are directed to the sample application, and logged in automatically with the username demo.

Copyright © 2010-2024 ForgeRock, all rights reserved.