How to implement API whitelisting with IG?

This topic has 3 replies, 2 voices, and was last updated 9 months, 1 week ago by violette.

  • Author
  • #25496

    I’d like to implement API whitelisting with IG. Preferably using an external file containing a list of allowed URI’s.

    I’ve played around with properties but it seems they are not evaluated in a route condition. For example the following does not work on IG 6.5.

      "properties" : {
          "allowed": {
              "/some/uri1": "ok",
              "/some/uri2": "ok"
      "condition": "${ == '' and allowed[request.uri.path] == 'ok'}",
      "handler": {
        "type": "Chain",



    Hello Andrew,

    It looks like you just hit a bug!
    I created OPENIG-3609. Indeed, it seems that we can’t access properties in route condition when the properties are defined in the route.
    However, if you declare your properties in a config.json, you should be able to use them in the route condition.


    Thanks Violette. I’m now trying to load properties from a file into config.json and use them in the route, however it is also giving me an error:

    [http-nio-8180-exec-1] WARN  org.forgerock.openig.el.Expression @system - An error occurred while evaluating the expression ${ == '' and uris.allowed-uris['one'] == 'ok'}
    javax.el.ELException: Cannot coerce 'ok' of class java.lang.String to class java.lang.Long (incompatible value)
    	at de.odysseus.el.misc.TypeConverterImpl.coerceToLong(

    In config.json I have:

    "properties" : {
        "uris": { "$location": "${fileToUrl(openig.configDirectory)}/" }

    The file has:

      "allowed-uris": {
        "one": "ok"

    And the route condition is:
    "condition": "${ == '' and uris.allowed-uris['one'] == 'ok'}"

    Could please let me know if what I’ve done above should work?

    I also used a HeaderFilter to check the value of the the expression uris.allowed-uris[‘one’] and it is returning a value of 0.

    Also with a bit more experimentation I observed that a simple value in config.json will work, for example, if the properties are:

      "properties" : {
        "allowed-uris": {"one": "ok"},
        "allowed": "ok"

    then the expression ${allowed == ‘ok’} returns true.


    It seems that Juel does not like the - in the named properties, it interprets it as a number. Remove the dashes from the properties names and it should solve the issue.
    Moreover, rename the file into allowed-openam-apis.json as .properties files are interpreted/read differently.
    Otherwise, it should work!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?