This topic has 4 replies, 2 voices, and was last updated 3 years, 8 months ago by 
.
-
Posts
-
Hi All,
Our client apps are secured by OpenIG where we have written routes for each application.
Below is one of the example route: 02-test-api.json.{ "handler": { "type": "DispatchHandler", "config": { "bindings": [{ "condition": "${request.cookies['iPlanetDirectoryPro'] == null}", "handler": { "type": "StaticResponseHandler", "config": { "status": 401, "reason": "Unauthorized Access", "entity": "Unauthorized Access" } } }, { "comment": "This condition is optional, but included for clarity.", "condition": "${request.cookies['iPlanetDirectoryPro'] != null}", "handler": { "type": "Chain", "config": { "filters": [{ "name": "SwitchFilter", "type": "SwitchFilter", "config": { "onResponse": [{ "condition": "${response.status.code == 401}", "handler": { "name": "ErrorResponse", "type": "StaticResponseHandler", "config": { "status": 401, "entity": "Authorization Failure" } } }] } }, { "name": "AuthZPolicyEvaluationFilter", "type": "PolicyEnforcementFilter", "config": { "openamUrl": "http://openam.example.com:8080/openam/", "pepUsername": "PolicyAdmin", "pepPassword": "password", "ssoTokenSubject": "${request.cookies['iPlanetDirectoryPro'][0].value}", "application": "TestAuthZPolicySet", "cacheMaxExpiration": "2 minutes" } }, { "name": "CustomFilter", "type": "com.example.openig.filter.CustomFilter", "config": { "X-APPLICATION-NAME": "CustomFilter" } }, { "name": "FailedJWTFilterSwitch", "type": "SwitchFilter", "config": { "onRequest": [{ "condition": "${request.headers['FilterStatus'][0] == 'FAILED'}", "handler": { "name": "FilterFailureHandler", "type": "StaticResponseHandler", "config": { "status": 400, "reason": "Filter failed", "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>" } } }, { "condition": "${request.headers['FilterStatus'][0] == 'SESSIONEXPIRED'}", "handler": { "name": "SessionExpiredFilterHandler", "type": "StaticResponseHandler", "config": { "status": 401, "reason": "Session expired", "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>" } } }] } }], "handler": { "name": "testHandler", "type": "ClientHandler", "baseURI": "http://app.downstream.server:8080/", "config": { "soTimeout": "100 seconds" } } } } }] } }, "condition": "${contains(request.uri.path, 'test')}" }Currently we have used 401 status code for cookie null check,authorization failure and session expiry check. Is there any better way to handle all API errors like HTTP status codes 404,400,500,401.
Env details : OpenIG 4.0 version
Any help on this would be appreciated.
Thanks,
SrinathHello Srinath,
Looking at your route, I would have managed errors directly into your
CustomFilterinstead of having that
SwitchFilter below it. This would simplify your route.
However, it is really hard to answer without any details on your CustomFilter and what you want to achieve with this route.Thanks for the reply @violette.
In CustomFilter filter code, we are decrypting the sscoToken and validating the token against the OpenAM. After that we are fetching all the roles from OpenIDM and setting them in the headers of the request and passing this request to the downstream server. OpenIG sends the response back to the client once OpenIG gets the response from downstream server.
As you suggested in the above, Could you please provide more details or piece of code to handle these http status code errors in the CustomFilter .
Thanks,
SrinathOk, this is a example of the logic you have to apply in a custom Groovy Filter:
import org.forgerock.http.protocol.Response import org.forgerock.http.protocol.Status import org.forgerock.util.promise.* // Here you have to write your logic => your CustomFilter behavior // as you said must decrypt and validate the ssoToken, etc... request.headers.FilterStatus = "Minsc and Boo!" // ... // ... // Underneath: error management (Note that it should be part of your filter logic) if (request.headers.FilterStatus.values[0].equals("Minsc and Boo!")) { Response response = new Response() response.status = Status.UNAUTHORIZED response.entity = "<html><p>Epic Fail!</p></html>" return Promises.newResultPromise(response); } return next.handle(context, request); // Continue if everything is okThere is examples of groovy scripting in the documentation:
https://backstage.forgerock.com/docs/openig/4/gateway-guide/#scripting-dispatchBut you can also have a look to the code source:
https://stash.forgerock.org/projects/OPENIG/repos/openig/browse/openig-core/src/main/java/org/forgerock/openig/filter/HttpBasicAuthFilter.java?at=4.0Enjoy,
Thanks a lot @violette for sharing more details on this along with code snippets and pointing me to the right direction.
You must be logged in to reply to this topic.
