PasswordReplayFilter
For requests directed to a login page, this filter extracts credentials, and replays them.
Requests that are not directed to the login page are passed along to the next filter or handler in the chain.
The PasswordReplayFilter does not retry failed authentication attempts.
Usage
{
"name": string,
"type": "PasswordReplayFilter",
"config": {
"request": request configuration object,
"loginPage": runtime expression<boolean>,
"loginPageContentMarker": pattern,
"credentials": Filter reference,
"headerDecryption": crypto configuration object,
"loginPageExtractions": [ extract configuration object, ... ]
}
}
Properties
"request"
: request configuration object, required-
The request that replays the credentials. The JSON object of
request
is theconfig
content of a StaticRequestFilter."method"
: string, required-
The HTTP method to be performed on the resource such as
GET
orPOST
. "uri"
: uri string, required-
The fully qualified URI of the resource to access, such as
http://www.example.com/login
. "entity"
: expression, optional-
The entity body to include in the request.
When the
method
is set toPOST
, this setting is mutually exclusive withform
.See also Expressions.
"form"
: object, optional-
A form to include in the request.
The
param
specifies the form parameter name. Its value is an array of expressions to evaluate as form field values.When the
method
is set toPOST
, this setting is mutually exclusive withentity
. "headers"
: object, optional-
Header fields to set in the request.
The
name
specifies the header name. Its value is an array of expressions to evaluate as header values. "version"
: string, optional-
The HTTP protocol version.
Default:
"HTTP/1.1"
.
"loginPage"
: runtime expression<boolean>, required unlessloginPageContentMarker
is defined-
When the expression evaluates to
true
, direct the request to a login page, extract credentials, and replay them.When
false
, pass the request unchanged to the next filter or handler in the chain.The following example expression resolves to
true
when the request is an HTTP GET, and the request URI path is/login
:${matches(request.uri.path, '/login') and (request.method == 'GET')}
"loginPageContentMarker"
: pattern, required unlessloginPage
is defined-
A pattern that matches when a response entity is that of a login page.
For an example route that uses this property, see Login Form With Password Replay and Cookie Filters.
See also Patterns.
"credentials"
: Filter reference, optional-
Filter that injects credentials, making them available for replay. Consider using a
FileAttributesFilter
or anSqlAttributesFilter
.When this is not specified, credentials must be made available to the request by other means.
See also Filters.
"headerDecryption"
: crypto configuration object, optional-
Object to decrypt request headers that contain credentials to replay.
The crypto configuration object has the following fields:
"key"
: expression, required-
Base64 encoded key value.
See also Expressions.
"algorithm"
: string, optional-
Algorithm used for decryption.
Use the same algorithm that is used to send the encrypted credentials.
Default:
AES/ECB/PKCS5Padding
"keyType"
: string, optional-
Algorithm name for the secret key.
Default:
AES
"headers"
: array of strings, optional-
The names of header fields to decrypt.
Default: Do not decrypt any headers.
"loginPageExtractions"
: extract configuration array, optional-
Object to extract values from the login page entity.
For an example route that uses this property, see Login Which Requires a Hidden Value From the Login Page.
The extract configuration array is a series of configuration objects. To extract multiple values, use multiple extract configuration objects. Each object has the following fields:
"name"
: string, required-
Name of the field where the extracted value is put.
The names are mapped into
attributes.extracted
.For example, if the name is
nonce
, the value can be obtained with the expression${attributes.extracted.nonce}
.The name
isLoginPage
is reserved to hold a boolean that indicates whether the response entity is a login page. "pattern"
: pattern, required-
The regular expression pattern to find in the entity.
The pattern must contain one capturing group. (If it contains more than one, only the value matching the first group is placed into
attributes.extracted
.)For example, suppose the login page entity contains a nonce required to authenticate, and the nonce in the page looks like
nonce='n-0S6_WzA2Mj'
. To extractn-0S6_WzA2Mj
, set"pattern": " nonce='(.*)'"
.See also Patterns.
Example
The following example authenticates requests using static credentials when the
request URI path is /login
. This PasswordReplayFilter example does not
include any mechanism for remembering when authentication has already been
successful, it simply replays the authentication every time that the request
URI path is /login
:
{
"handler": {
"type": "Chain",
"config": {
"filters": [{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${request.uri.path == '/login'}",
"request": {
"method": "POST",
"uri": "https://www.example.com:8444/login",
"form": {
"username": [
"MY_USERNAME"
],
"password": [
"MY_PASSWORD"
]
}
}
}
}],
"handler": "ReverseProxyHandler"
}
}
}
For additional examples, see Configuration Templates, and the Javadoc for the PasswordReplayFilter class.