How to capture response for PolicyEnforcementFilter filter?

Tagged: #OpenIG, PolicyEnforcementFilter, StaticResponseHandler

This topic has 5 replies, 3 voices, and was last updated 4 years, 7 months ago by aktokas.

Author

Posts
June 21, 2016 at 12:15 pm #11424

Jitendra Niberiya
Participant

Hi All,

I am trying to capture the ‘401’ response of ‘PolicyEnforcementFilter’ filter in case of Unauthorized access.
Below is the config that I’ve put in my route file of openIG.
——————————
{
“handler”:{
“type”:”DispatchHandler”,
“config”:{
“bindings”:[
{
“condition”:”${request.cookies[‘iPlanetDirectoryPro’] == null}”,
“handler”:{
“type”:”StaticResponseHandler”,
“config”:{
“status”:302,
“reason”:”Found”,
“headers”:{
“Location”:[
“http://openam.example.com:8080/openam/XUI/#login/&goto=${urlEncode(contexts.router.originalUri)}”
]
},
“entity”:”Redirecting to OpenAM for authentication…”
}
}
},
{
“comment”:”This condition is optional, but included for clarity.”,
“condition”:”${request.cookies[‘iPlanetDirectoryPro’] != null}”,
“handler”:{
“type”:”Chain”,
“config”:{
“filters”:[
{
“name”:”AuthZPolicyEvaluationFilter”,
“type”:”PolicyEnforcementFilter”,
“config”:{
“openamUrl”:”http://openam.example.com:8080/openam/”,
“pepUsername”:”PolicyAdmin”,
“pepPassword”:”password”,
“ssoTokenSubject”:”${request.cookies[‘iPlanetDirectoryPro’][0].value}”,
“application”:”ApplicationName”
}
},
{
“name”:”UnauthorizedResponseSwitch”,
“type”:”SwitchFilter”,
“config”:{
“onResponse”:[
{
“condition”:”${response.status.code == 401}”,
“handler”:{
“name”:”FilterFailureHandler”,
“type”:”StaticResponseHandler”,
“config”:{
“status”:401,
“reason”:”Unauthorized Access”,
“entity”:”<html><h2>Unauthorized Access</h2></html>”
}
}
}
]
}
}
],
“handler”:{
“type”:”ClientHandler”,
“baseURI”:”http://openam.example.com:8080/”
}
}
}
}
]
}
},
“condition”:”${matches(request.uri.path, ‘^/sampleapp/header.jsp’)}”
}
——————————
But it is not working and I’m not getting the configured message in case of 401 failure.
From the filter doc, it looks like that the “response.status.code” should do but it ain’t working.
Anyone has done anything like this then please help out.

Thanks,
Jitendra

June 21, 2016 at 12:30 pm #11426

violette
Participant

Hi Jitendra,

If the request is denied by the PolicyEnforcementFilter, OpenIG returns a 403 Forbidden.
See PolicyEnforcementFilter reference guide

/Violette

June 21, 2016 at 12:42 pm #11427

Jitendra Niberiya
Participant

Violette,

I tried with ${response.status.code == 403} condition as well but still not able to redirect to entity message.

June 21, 2016 at 12:47 pm #11428

Jitendra Niberiya
Participant

Also, I’m using OpenIG 4.0.0

June 21, 2016 at 4:16 pm #11451

violette
Participant

Jitendra,

If you want to manage the cases where the policy denies the request, you have to put your ‘UnauthorizedResponseSwitch’ before the Policy Enforcement Filter.

December 14, 2017 at 11:09 am #20127

aktokas
Participant

Did you resolve this issue jitendra??
I am currently facing an exact same issue..

I can see in the OpenIG logs that i have a 403 forbidded error..
but when i use the switch filter with condition – exchange.response.status == 403

It does not work… Anyone has any suggestions??

Thanks,
Akshay
Author

Posts