How to capture response for PolicyEnforcementFilter filter?

This topic has 5 replies, 3 voices, and was last updated 4 years, 11 months ago by aktokas.

  • Author
    Posts
  • #11424
     Jitendra Niberiya
    Participant

    Hi All,

    I am trying to capture the ‘401’ response of ‘PolicyEnforcementFilter’ filter in case of Unauthorized access.
    Below is the config that I’ve put in my route file of openIG.
    ——————————
    {
    “handler”:{
    “type”:”DispatchHandler”,
    “config”:{
    “bindings”:[
    {
    “condition”:”${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”:{
    “type”:”StaticResponseHandler”,
    “config”:{
    “status”:302,
    “reason”:”Found”,
    “headers”:{
    “Location”:[
    http://openam.example.com:8080/openam/XUI/#login/&goto=${urlEncode(contexts.router.originalUri)}”
    ]
    },
    “entity”:”Redirecting to OpenAM for authentication…”
    }
    }
    },
    {
    “comment”:”This condition is optional, but included for clarity.”,
    “condition”:”${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”:{
    “type”:”Chain”,
    “config”:{
    “filters”:[
    {
    “name”:”AuthZPolicyEvaluationFilter”,
    “type”:”PolicyEnforcementFilter”,
    “config”:{
    “openamUrl”:”http://openam.example.com:8080/openam/”,
    “pepUsername”:”PolicyAdmin”,
    “pepPassword”:”password”,
    “ssoTokenSubject”:”${request.cookies[‘iPlanetDirectoryPro’][0].value}”,
    “application”:”ApplicationName”
    }
    },
    {
    “name”:”UnauthorizedResponseSwitch”,
    “type”:”SwitchFilter”,
    “config”:{
    “onResponse”:[
    {
    “condition”:”${response.status.code == 401}”,
    “handler”:{
    “name”:”FilterFailureHandler”,
    “type”:”StaticResponseHandler”,
    “config”:{
    “status”:401,
    “reason”:”Unauthorized Access”,
    “entity”:”<html><h2>Unauthorized Access</h2></html>”
    }
    }
    }
    ]
    }
    }
    ],
    “handler”:{
    “type”:”ClientHandler”,
    “baseURI”:”http://openam.example.com:8080/&#8221;
    }
    }
    }
    }
    ]
    }
    },
    “condition”:”${matches(request.uri.path, ‘^/sampleapp/header.jsp’)}”
    }
    ——————————
    But it is not working and I’m not getting the configured message in case of 401 failure.
    From the filter doc, it looks like that the “response.status.code” should do but it ain’t working.
    Anyone has done anything like this then please help out.

    Thanks,
    Jitendra

    #11426
     violette
    Participant

    Hi Jitendra,

    If the request is denied by the PolicyEnforcementFilter, OpenIG returns a 403 Forbidden.
    See PolicyEnforcementFilter reference guide

    /Violette

    #11427
     Jitendra Niberiya
    Participant

    Violette,

    I tried with ${response.status.code == 403} condition as well but still not able to redirect to entity message.

    #11428
     Jitendra Niberiya
    Participant

    Also, I’m using OpenIG 4.0.0

    #11451
     violette
    Participant

    Jitendra,

    If you want to manage the cases where the policy denies the request, you have to put your ‘UnauthorizedResponseSwitch’ before the Policy Enforcement Filter.

    #20127
     aktokas
    Participant

    Did you resolve this issue jitendra??
    I am currently facing an exact same issue..

    I can see in the OpenIG logs that i have a 403 forbidded error..
    but when i use the switch filter with condition – exchange.response.status == 403

    It does not work… Anyone has any suggestions??

    Thanks,
    Akshay

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?