- Preface
- About IG
- IG As an HTTP Gateway
- Processing Requests and Responses
- Development Mode and Production Mode
- Decorators
- Configuration Parameters Declared as Property Variables
- Changing the Configuration and Restarting IG
- Understanding IG APIs With API Descriptors
- Sessions
- Secrets
- Installation in Detail
- About Securing Connections
- Installing IG in Standalone Mode
- Installing IG in Apache Tomcat
- Installing IG in Jetty
- Installing IG in JBoss EAP
- Preparing the Network
- Changing the Default Location of the Configuration Folders
- Preparing For Load Balancing and Failover
- Configuring IG For HTTPS (Client-Side)
- Using JWT Sessions
- Setting Up AM
- Getting Login Credentials From Data Sources
- Getting Login Credentials From AM
- Single Sign-On and Cross-Domain Single Sign-On
- Enforcing Policy Decisions From AM
- Hardening Authorization With Advice From AM
- Protecting Against CSRF Attacks
- Acting As a SAML 2.0 Service Provider
- Acting As an OAuth 2.0 Resource Server
- Acting As an OpenID Connect Relying Party
- Transforming OpenID Connect ID Tokens Into SAML Assertions
- Supporting UMA Resource Servers
- Configuring Routers and Routes
- Proxying WebSocket Traffic
- Implementing Not-Enforced URIs for Authentication
- Configuration Templates
- Extending IG
- Throttling the Rate of Requests to Protected Applications
- SAML 2.0 and Multiple Applications
Login Which Requires a Hidden Value From the Login Page
This template route extracts a hidden value from the login page, and includes it the static login form that it then POSTs to the target application.
{ "properties": { "appBaseUri": "https://app.example.com:8444" }, "heap": [ { "name": "ReverseProxyHandler", "type": "ReverseProxyHandler", "comment": "Testing only: blindly trust the server cert for HTTPS.", "config": { "tls": { "type": "ClientTlsOptions", "config": { "trustManager": { "type": "TrustAllManager" } } }, "hostnameVerifier": "ALLOW_ALL" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPage": "${request.uri.path == '/login'}", "loginPageExtractions": [ { "name": "hidden", "pattern": "loginToken\\s+value=\"(.*)\"" } ], "request": { "method": "POST", "uri": "${appBaseUri}/login", "form": { "username": [ "MY_USERNAME" ], "password": [ "MY_PASSWORD" ], "hiddenValue": [ "${attributes.extracted.hidden}" ] } } } } ], "handler": "ReverseProxyHandler" } }, "condition": "${matches(request.uri.query, 'demo=hidden')}", "baseURI": "${appBaseUri}" }
The parameters in the PasswordReplayFilter form, MY_USERNAME
and MY_PASSWORD
, can have string values or can use expressions.
To try this example with the sample application:
Add the following route to IG:
$HOME/.openig/config/routes/24-hidden.json
%appdata%\OpenIG\config\routes\24-hidden.json
Replace
MY_USERNAME
withscarter
, andMY_PASSWORD
withS9rain12
.Add the following route to serve static resources, such as .css, for the sample application:
$HOME/.openig/config/routes/static-resources.json
%appdata%\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp_resources", "baseURI" : "http://app.example.com:8081", "condition": "${matches(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" }
To use this as a default route with a real application:
Replace the test ReverseProxyHandler with one that is configured to trust the application's public key server certificate. Otherwise, use a ReverseProxyHandler that references a truststore holding the certificate.
Configure the ReverseProxyHandler to strictly verifiy hostnames for outgoing SSL connections.
In production, do not use
TrustAllManager
for TrustManager, orALLOW_ALL
for hostname verification. For information, see "ReverseProxyHandler".Change the
loginPage
,loginPageExtractions
,uri
, andform
to match the target application.Remove the route-level condition on the handler that specifies a
demo
query string parameter.