- Preface
- About IG
- IG As an HTTP Gateway
- Processing Requests and Responses
- Development Mode and Production Mode
- Decorators
- Configuration Parameters Declared as Property Variables
- Changing the Configuration and Restarting IG
- Understanding IG APIs With API Descriptors
- Sessions
- Secrets
- Installation in Detail
- About Securing Connections
- Installing IG in Standalone Mode
- Installing IG in Apache Tomcat
- Installing IG in Jetty
- Installing IG in JBoss EAP
- Preparing the Network
- Changing the Default Location of the Configuration Folders
- Preparing For Load Balancing and Failover
- Configuring IG For HTTPS (Client-Side)
- Using JWT Sessions
- Setting Up AM
- Getting Login Credentials From Data Sources
- Getting Login Credentials From AM
- Single Sign-On and Cross-Domain Single Sign-On
- Enforcing Policy Decisions From AM
- Hardening Authorization With Advice From AM
- Protecting Against CSRF Attacks
- Acting As a SAML 2.0 Service Provider
- Acting As an OAuth 2.0 Resource Server
- Acting As an OpenID Connect Relying Party
- Transforming OpenID Connect ID Tokens Into SAML Assertions
- Supporting UMA Resource Servers
- Configuring Routers and Routes
- Proxying WebSocket Traffic
- Implementing Not-Enforced URIs for Authentication
- Configuration Templates
- Extending IG
- Throttling the Rate of Requests to Protected Applications
- SAML 2.0 and Multiple Applications
Login Which Requires a Hidden Value From the Login Page
This template route extracts a hidden value from the login page, and includes it the static login form that it then POSTs to the target application.
{
"properties": {
"appBaseUri": "https://app.example.com:8444"
},
"heap": [
{
"name": "ReverseProxyHandler",
"type": "ReverseProxyHandler",
"comment": "Testing only: blindly trust the server cert for HTTPS.",
"config": {
"tls": {
"type": "ClientTlsOptions",
"config": {
"trustManager": {
"type": "TrustAllManager"
}
}
},
"hostnameVerifier": "ALLOW_ALL"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${request.uri.path == '/login'}",
"loginPageExtractions": [
{
"name": "hidden",
"pattern": "loginToken\\s+value=\"(.*)\""
}
],
"request": {
"method": "POST",
"uri": "${appBaseUri}/login",
"form": {
"username": [
"MY_USERNAME"
],
"password": [
"MY_PASSWORD"
],
"hiddenValue": [
"${attributes.extracted.hidden}"
]
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
},
"condition": "${matches(request.uri.query, 'demo=hidden')}",
"baseURI": "${appBaseUri}"
}
The parameters in the PasswordReplayFilter form, MY_USERNAME
and MY_PASSWORD
, can have string values or can use expressions.
To try this example with the sample application:
Add the following route to IG:
$HOME/.openig/config/routes/24-hidden.json
%appdata%\OpenIG\config\routes\24-hidden.json
Replace
MY_USERNAME
withscarter
, andMY_PASSWORD
withS9rain12
.Add the following route to serve static resources, such as .css, for the sample application:
$HOME/.openig/config/routes/static-resources.json
%appdata%\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp_resources", "baseURI" : "http://app.example.com:8081", "condition": "${matches(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" }
To use this as a default route with a real application:
Replace the test ReverseProxyHandler with one that is configured to trust the application's public key server certificate. Otherwise, use a ReverseProxyHandler that references a truststore holding the certificate.
Configure the ReverseProxyHandler to strictly verifiy hostnames for outgoing SSL connections.
In production, do not use
TrustAllManager
for TrustManager, orALLOW_ALL
for hostname verification. For information, see "ReverseProxyHandler".Change the
loginPage
,loginPageExtractions
,uri
, andform
to match the target application.Remove the route-level condition on the handler that specifies a
demo
query string parameter.