IG 7.1.2

Protecting an Application With IG

This section gives a simple example of how to use IG to protect an application. For many more examples of how to protect applications with IG, see the Gateway Guide.

In the following example, a browser requests access to the sample application, and IG intercepts the request to log the user into the application. The following image shows the flow of data in the example:

hard-coded-login
  1. The browser sends an HTTP GET request to the HTTP server on openig.example.com.

  2. IG replaces the HTTP GET request with an HTTP POST login request containing credentials to authenticate.

  3. The sample application validates the credentials, and returns the page for the user demo.

    If IG did not provide the credentials, or if the sample application couldn’t validate the credentials, the sample application returns the login page.

  4. IG returns this response to the browser.

Configure IG to Log You in to an Application
  1. Set up IG as described in Downloading and Starting IG, and the sample application as described in Downloading and Starting the Sample Application.

    1. Add the following route to IG, to serve .css and other static resources for the sample application:

      • Linux

      • Windows

      $HOME/.openig/config/routes/static-resources.json
      appdata\OpenIG\config\routes\static-resources.json
      {
        "name" : "sampleapp-resources",
        "baseURI" : "http://app.example.com:8081",
        "condition": "${find(request.uri.path,'^/css')}",
        "handler": "ReverseProxyHandler"
      }
  2. Add the following route to IG:

    • Linux

    • Windows

    $HOME/.openig/config/routes/01-static.json
    appdata\OpenIG\config\routes\01-static.json
    {
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "type": "StaticRequestFilter",
              "config": {
                "method": "POST",
                "uri": "http://app.example.com:8081/login",
                "form": {
                  "username": [
                    "demo"
                  ],
                  "password": [
                    "Ch4ng31t"
                  ]
                }
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      },
      "condition": "${find(request.uri.path, '^/static')}"
    }

    Notice the following features of the route:

    • The route matches requests to /static.

    • The StaticRequestFilter replaces the request with an HTTP POST, specifying the resource to post the request to, and a form to include in the request. The form includes credentials for the username demo.

    • The ReverseProxyHandler replays the request to the sample application.

  3. Check that the route system log includes a message that the new files are loaded into the config:

    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id 'static-resources' registered with the name 'static-resources'
    INFO  o.f.o.handler.router.RouterHandler - Loaded the route with id '01-static' registered with the name '01-static'
  4. Go to http://openig.example.com:8080/static.

    You are directed to the sample application, and logged in automatically with the username demo.

Copyright © 2010-2023 ForgeRock, all rights reserved.