Handling http status code API erros in OpenIG routes

This topic contains 4 replies, has 2 voices, and was last updated by  srinath.m 11 months ago.

  • Author
    Posts
  • #23828
     srinath.m 
    Participant

    Hi All,
    Our client apps are secured by OpenIG where we have written routes for each application.
    Below is one of the example route: 02-test-api.json.

    {
            "handler": {
                    "type": "DispatchHandler",
                    "config": {
                            "bindings": [{
                                    "condition": "${request.cookies['iPlanetDirectoryPro'] == null}",
                                    "handler": {
                                            "type": "StaticResponseHandler",
                                            "config": {
                                                    "status": 401,
                                                    "reason": "Unauthorized Access",
                                                    "entity": "Unauthorized Access"
                                            }
                                    }
                            },
                            {
                                    "comment": "This condition is optional, but included for clarity.",
                                    "condition": "${request.cookies['iPlanetDirectoryPro'] != null}",
                                    "handler": {
                                            "type": "Chain",
                                            "config": {
                                                    "filters": [{
                                                            "name": "SwitchFilter",
                                                            "type": "SwitchFilter",
                                                            "config": {
                                                                    "onResponse": [{
                                                                            "condition": "${response.status.code == 401}",
                                                                            "handler": {
                                                                                    "name": "ErrorResponse",
                                                                                    "type": "StaticResponseHandler",
                                                                                    "config": {
                                                                                            "status": 401,
                                                                                            "entity": "Authorization Failure"
                                                                                    }
                                                                            }
                                                                    }]
                                                            }
                                                    },
                                                    {
                                                            "name": "AuthZPolicyEvaluationFilter",
                                                            "type": "PolicyEnforcementFilter",
                                                            "config": {
                                                                    "openamUrl": "http://openam.example.com:8080/openam/",
                                                                    "pepUsername": "PolicyAdmin",
                                                                    "pepPassword": "password",
                                                                    "ssoTokenSubject": "${request.cookies['iPlanetDirectoryPro'][0].value}",
                                                                    "application": "TestAuthZPolicySet",
                                                                    "cacheMaxExpiration": "2 minutes"
                                                            }
                                                    },
                                                    {
                                                            "name": "CustomFilter",
                                                            "type": "com.example.openig.filter.CustomFilter",
                                                            "config": {
                                                                    "X-APPLICATION-NAME": "CustomFilter"
                                                            }
                                                    },
                                                    {
                                                            "name": "FailedJWTFilterSwitch",
                                                            "type": "SwitchFilter",
                                                            "config": {
                                                                    "onRequest": [{
                                                                            "condition": "${request.headers['FilterStatus'][0] == 'FAILED'}",
                                                                            "handler": {
                                                                                    "name": "FilterFailureHandler",
                                                                                    "type": "StaticResponseHandler",
                                                                                    "config": {
                                                                                            "status": 400,
                                                                                            "reason": "Filter failed",
                                                                                            "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>"
                                                                                    }
                                                                            }
                                                                    },
                                                                    {
                                                                            "condition": "${request.headers['FilterStatus'][0] == 'SESSIONEXPIRED'}",
                                                                            "handler": {
                                                                                    "name": "SessionExpiredFilterHandler",
                                                                                    "type": "StaticResponseHandler",
                                                                                    "config": {
                                                                                            "status": 401,
                                                                                            "reason": "Session expired",
                                                                                            "entity": "<html><h2>${request.headers['ErrorMessage'][0]}</h2></html>"
                                                                                    }
                                                                            }
                                                                    }]
                                                            }
                                                    }],
                                                    "handler": {
                                                             "name": "testHandler",
                                                            "type": "ClientHandler",
                                                            "baseURI": "http://app.downstream.server:8080/",
                                                            "config": {
                                                                    "soTimeout": "100 seconds"
                                                            }
                                                    }
                                            }
                                    }
                            }]
                    }
            },
            "condition": "${contains(request.uri.path, 'test')}"
    }

    Currently we have used 401 status code for cookie null check,authorization failure and session expiry check. Is there any better way to handle all API errors like HTTP status codes 404,400,500,401.

    Env details : OpenIG 4.0 version

    Any help on this would be appreciated.
    Thanks,
    Srinath

    #23839
     violette 
    Participant

    Hello Srinath,

    Looking at your route, I would have managed errors directly into your CustomFilter instead of having that
    SwitchFilter below it. This would simplify your route.
    However, it is really hard to answer without any details on your CustomFilter and what you want to achieve with this route.

    #23841
     srinath.m 
    Participant

    Thanks for the reply @violette.

    In CustomFilter filter code, we are decrypting the sscoToken and validating the token against the OpenAM. After that we are fetching all the roles from OpenIDM and setting them in the headers of the request and passing this request to the downstream server. OpenIG sends the response back to the client once OpenIG gets the response from downstream server.

    As you suggested in the above, Could you please provide more details or piece of code to handle these http status code errors in the CustomFilter .

    Thanks,
    Srinath

    #23842
     violette 
    Participant

    Ok, this is a example of the logic you have to apply in a custom Groovy Filter:

    
    import org.forgerock.http.protocol.Response
    import org.forgerock.http.protocol.Status
    import org.forgerock.util.promise.*
    
    // Here you have to write your logic => your CustomFilter behavior
    // as you said must decrypt and validate the ssoToken, etc...
    request.headers.FilterStatus = "Minsc and Boo!"
    // ...
    // ...
    // Underneath: error management (Note that it should be part of your filter logic)
    if (request.headers.FilterStatus.values[0].equals("Minsc and Boo!")) { 
        Response response = new Response()
        response.status = Status.UNAUTHORIZED
        response.entity = "<html><p>Epic Fail!</p></html>"
        return Promises.newResultPromise(response);
    }
    return next.handle(context, request); // Continue if everything is ok
    

    There is examples of groovy scripting in the documentation:
    https://backstage.forgerock.com/docs/openig/4/gateway-guide/#scripting-dispatch

    But you can also have a look to the code source:
    https://stash.forgerock.org/projects/OPENIG/repos/openig/browse/openig-core/src/main/java/org/forgerock/openig/filter/HttpBasicAuthFilter.java?at=4.0

    Enjoy,

    • This reply was modified 11 months ago by  violette.
    #23850
     srinath.m 
    Participant

    Thanks a lot @violette for sharing more details on this along with code snippets and pointing me to the right direction.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?