Custom Header to CDSSO Route

This topic contains 2 replies, has 2 voices, and was last updated by  srinath.m 3 months, 3 weeks ago.

  • Author
    Posts
  • #24825
     reeprice 
    Participant

    I have followed the Getting Started Guide and Gateway Guide to setup IG. I have created a route that works as PEP and CDSSO. I would like to add some custom headers that get sent back to Application. I can not seem to get this to work. I have the copied the code below. I am not sure if there is some order of operation information that I am missing, but any assistance would be appreciated.

    "handler" : {
        "type" : "Chain",
        "config" : {
          "filters" : [ 
    	  {
    	  "name": "HeaderFilter-InjectUserAttributes-1",
                "type": "HeaderFilter",
                "config": {
                  "messageType": "REQUEST",
                  "add": {
                    "custom1": ["someaddress" ] 
                  }
                }
    	 },
    	 {
            "name" : "CrossDomainSingleSignOnFilter-1",
            "type" : "CrossDomainSingleSignOnFilter",
            "config" : {
              "redirectEndpoint" : "/home/pep-cdsso/redirect",
              "authCookie" : {
                "path" : "/home",
                "name" : "ig-token-cookie"
              },
              "amService" : "AmService-1"
            }
    		
          },
    	  {
    	  "name": "HeaderFilter-InjectUserAttributes-2",
                "type": "HeaderFilter",
                "config": {
                  "messageType": "RESPONSE",
                  "add": {
                    "mail": [ "someaddress" ] 
                  }
                }
    	 },
    	  {
            "name" : "PolicyEnforcementFilter-1",
            "type" : "PolicyEnforcementFilter",
            "config" : {
              "pepRealm" : "/",
              "application" : "PEP-CDSSO",
              "ssoTokenSubject" : "${contexts.cdsso.token}",
              "amService" : "AmService-1"
            }
          }
    	  ],
          "handler" : "ReverseProxyHandler"
        }
      }

    Thanks,
    Reece

    #24831
     srinath.m 
    Participant

    Hi @reeprice,

    You can add custom headers in the request by using customized sample filter and then send the request to the downstream server. Can find more info here

    Sample route looks like as below.

    {
    	"handler": {
    		"type": "DispatchHandler",
    		"config": {
    			"bindings": [{
    				"condition": "${request.cookies['iPlanetDirectoryPro'] == null}",
    				"handler": {
    					"type": "StaticResponseHandler",
    					"config": {
    						"status": 401,
    						"reason": "Unauthorized Access",
    						"entity": "Unauthorized Access"
    					}
    				}
    			},
    			{
    				"comment": "This condition is optional, but included for clarity.",
    				"condition": "${request.cookies['iPlanetDirectoryPro'] != null}",
    				"handler": {
    					"type": "Chain",
    					"config": {
    						"filters": [{
    							"name": "SwitchFilter",
    							"type": "SwitchFilter",
    							"config": {
    								"onResponse": [{
    									"condition": "${response.status.code == 401}",
    									"handler": {
    										"name": "ErrorResponse",
    										"type": "StaticResponseHandler",
    										"config": {
    											"status": 401,
    											"entity": "Authorization Failure"
    										}
    									}
    								}]
    							}
    						},
    						{
    							"name": "AuthZPolicyEvaluationFilter",
    							"type": "PolicyEnforcementFilter",
    							"config": {
    								"openamUrl": "http://openam.example.com:8080/openam/",
    								"pepUsername": "PolicyAdmin",
    								"pepPassword": "Passw0rd",
    								"ssoTokenSubject": "${request.cookies['iPlanetDirectoryPro'][0].value}",
    								"application": "SampleAuthZPolitySet",
    								"cacheMaxExpiration": "5 minutes"
    							}
    						},
    						{
    							"name": "CustomJWTFilter",
    							"type": "com.openig.filter.CustomJWTFilter",
    							"config": {
    								"X-APPLICATION-NAME": "SAMPLEAPP"
    							}
    						},
    						{
    							"name": "FailedJWTFilterSwitch",
    							"type": "SwitchFilter",
    							"config": {
    								"onRequest": [{
    									"condition": "${request.headers['FilterStatus'][0] == 'FAILED'}",
    									"handler": {
    										"name": "FilterFailureHandler",
    										"type": "StaticResponseHandler",
    										"config": {
    											"status": 400,
    											"reason": "Filter failed",
    											"entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>"
    										}
    									}
    								},
                                                                    {
                                                                            "condition": "${request.headers['FilterStatus'][0] == 'SESSIONEXPIRED'}",
                                                                            "handler": {
                                                                                    "name": "SessionExpiredFilterHandler",
                                                                                    "type": "StaticResponseHandler",
                                                                                    "config": {
                                                                                            "status": 401,
                                                                                            "reason": "Session expired",
                                                                                            "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>"
                                                                                    }
                                                                            }
                                                                    }]
    							}
    						}],
    						"handler": {
    							"name": "CustomAPIHandler",
    							"type": "ClientHandler",
    							"baseURI":"http://downstream.example.com:80/",
                                                            "config": {
                                                                    "soTimeout": "600 seconds"
                                                            }
    						}
    					}
    				}
    			}]
    		}
    	},
    	"condition":"${contains(request.uri.path, 'backendapp')}"
    }

    Hope it helps.

    Thanks,
    Srinath

    #24850
     srinath.m 
    Participant

    We have used this customized filter to get all the roles and groups from OpenAM REST api and trimming unwanted OU(Orgnizational Unit) from this API response, and placed finalized roles, groups in the request header and passed it to the downstream app server. Once the downstream app server receives this request, it decides the authorization based the roles and groups.

    I hope there are other ways to achieve this but we used this method.

    Thanks,
    Srinath

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?