Message Capture with OpenIG

This blog post was first published @ http://identityrocks.blogspot.fr/, included here with permission.

Setting up protection for a web application or API is much easier if you know what is actually going on between client and server.

OpenIG functions by the concept of a reverse web proxy, primarily with the objective to enforce authentication and authorization. However it also allows to simply log inbound and outbound messages to a file.

The OpenIG Studio provides a straightforward way to configure capture inbound and outbound messages.

 

The capture is logged by default in the route-rocksock.log file. In this example, openig.example.com is the external hostname which hits OpenIG. The internal hostname is internal.company.com. This is not know to the client but configured in the route configuration for /rocksock in OpenIG.

 

 

 
The route-rocksock.log file from the example :

--- (request) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 --->    

GET http://openig.example.com:8080/rocksock/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: en;q=1,de;q=0.9,en-US;q=0.8,fr-FR;q=0.7,it;q=0.6
connection: keep-alive
host: openig.example.com:8080
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

--- (request) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 --->

GET http://internal.company.com:9080/rocksock/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: en;q=1,de;q=0.9,en-US;q=0.8,fr-FR;q=0.7,it;q=0.6
connection: keep-alive
host: openig.example.com:8080
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

<--- (response) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 ---

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
Date: Tue, 25 Oct 2016 16:13:48 GMT
ETag: W/"42-1477411512000"
Last-Modified: Tue, 25 Oct 2016 16:05:12 GMT

[entity]

<--- (response) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 ---

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
Date: Tue, 25 Oct 2016 16:13:48 GMT
ETag: W/"42-1477411512000"
Last-Modified: Tue, 25 Oct 2016 16:05:12 GMT

[entity]

The route configuration as produced by the OpenIG Studio looks as follows :

{
  "name": "rocksock",
  "baseURI": "http://internal.company.com:9080",
  "condition": "${matches(request.uri.path, '^/rocksock')}",
  "monitor": false,
  "capture": [
    "request",
    "response"
  ],
  "heap": [
    {
      "type": "ClientHandler",
      "name": "ClientHandler",
      "capture": [
        "request",
        "response"
      ]
    }
  ],
  "handler": "ClientHandler"
}
The IG studio will be shipped with ForgeRock Identity Gateway 5.0. For more, see the OpenIG Studio introduction .

 

1 Comment

Comments are closed.

  1. chen369 3 years ago

    Cant wait for a 5.0 Release :)

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?