Tagged: #OpenIG, API errors, HTTP Status Codes, routes
This topic has 4 replies, 2 voices, and was last updated 3 years, 8 months ago by srinath.m.
-
AuthorPosts
-
November 9, 2018 at 1:07 pm #23828
srinath.m
ParticipantHi All,
Our client apps are secured by OpenIG where we have written routes for each application.
Below is one of the example route: 02-test-api.json.{ "handler": { "type": "DispatchHandler", "config": { "bindings": [{ "condition": "${request.cookies['iPlanetDirectoryPro'] == null}", "handler": { "type": "StaticResponseHandler", "config": { "status": 401, "reason": "Unauthorized Access", "entity": "Unauthorized Access" } } }, { "comment": "This condition is optional, but included for clarity.", "condition": "${request.cookies['iPlanetDirectoryPro'] != null}", "handler": { "type": "Chain", "config": { "filters": [{ "name": "SwitchFilter", "type": "SwitchFilter", "config": { "onResponse": [{ "condition": "${response.status.code == 401}", "handler": { "name": "ErrorResponse", "type": "StaticResponseHandler", "config": { "status": 401, "entity": "Authorization Failure" } } }] } }, { "name": "AuthZPolicyEvaluationFilter", "type": "PolicyEnforcementFilter", "config": { "openamUrl": "http://openam.example.com:8080/openam/", "pepUsername": "PolicyAdmin", "pepPassword": "password", "ssoTokenSubject": "${request.cookies['iPlanetDirectoryPro'][0].value}", "application": "TestAuthZPolicySet", "cacheMaxExpiration": "2 minutes" } }, { "name": "CustomFilter", "type": "com.example.openig.filter.CustomFilter", "config": { "X-APPLICATION-NAME": "CustomFilter" } }, { "name": "FailedJWTFilterSwitch", "type": "SwitchFilter", "config": { "onRequest": [{ "condition": "${request.headers['FilterStatus'][0] == 'FAILED'}", "handler": { "name": "FilterFailureHandler", "type": "StaticResponseHandler", "config": { "status": 400, "reason": "Filter failed", "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>" } } }, { "condition": "${request.headers['FilterStatus'][0] == 'SESSIONEXPIRED'}", "handler": { "name": "SessionExpiredFilterHandler", "type": "StaticResponseHandler", "config": { "status": 401, "reason": "Session expired", "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>" } } }] } }], "handler": { "name": "testHandler", "type": "ClientHandler", "baseURI": "http://app.downstream.server:8080/", "config": { "soTimeout": "100 seconds" } } } } }] } }, "condition": "${contains(request.uri.path, 'test')}" }
Currently we have used 401 status code for cookie null check,authorization failure and session expiry check. Is there any better way to handle all API errors like HTTP status codes 404,400,500,401.
Env details : OpenIG 4.0 version
Any help on this would be appreciated.
Thanks,
SrinathNovember 14, 2018 at 10:04 am #23839violette
ParticipantHello Srinath,
Looking at your route, I would have managed errors directly into your
CustomFilter
instead of having that
SwitchFilter below it. This would simplify your route.
However, it is really hard to answer without any details on your CustomFilter and what you want to achieve with this route.November 14, 2018 at 11:07 am #23841srinath.m
ParticipantThanks for the reply @violette.
In CustomFilter filter code, we are decrypting the sscoToken and validating the token against the OpenAM. After that we are fetching all the roles from OpenIDM and setting them in the headers of the request and passing this request to the downstream server. OpenIG sends the response back to the client once OpenIG gets the response from downstream server.
As you suggested in the above, Could you please provide more details or piece of code to handle these http status code errors in the CustomFilter .
Thanks,
SrinathNovember 14, 2018 at 1:32 pm #23842violette
ParticipantOk, this is a example of the logic you have to apply in a custom Groovy Filter:
import org.forgerock.http.protocol.Response import org.forgerock.http.protocol.Status import org.forgerock.util.promise.* // Here you have to write your logic => your CustomFilter behavior // as you said must decrypt and validate the ssoToken, etc... request.headers.FilterStatus = "Minsc and Boo!" // ... // ... // Underneath: error management (Note that it should be part of your filter logic) if (request.headers.FilterStatus.values[0].equals("Minsc and Boo!")) { Response response = new Response() response.status = Status.UNAUTHORIZED response.entity = "<html><p>Epic Fail!</p></html>" return Promises.newResultPromise(response); } return next.handle(context, request); // Continue if everything is ok
There is examples of groovy scripting in the documentation:
https://backstage.forgerock.com/docs/openig/4/gateway-guide/#scripting-dispatchBut you can also have a look to the code source:
https://stash.forgerock.org/projects/OPENIG/repos/openig/browse/openig-core/src/main/java/org/forgerock/openig/filter/HttpBasicAuthFilter.java?at=4.0Enjoy,
-
This reply was modified 3 years, 8 months ago by
violette.
November 15, 2018 at 4:28 am #23850 -
This reply was modified 3 years, 8 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.