How to implement API whitelisting with IG?

This topic contains 3 replies, has 2 voices, and was last updated by  violette 1 week, 1 day ago.

  • Author
    Posts
  • #25496
     andwalker@deloitte.com.au 
    Participant

    I’d like to implement API whitelisting with IG. Preferably using an external file containing a list of allowed URI’s.

    I’ve played around with properties but it seems they are not evaluated in a route condition. For example the following does not work on IG 6.5.

    {
      "properties" : {
          "allowed": {
              "/some/uri1": "ok",
              "/some/uri2": "ok"
          },
      },
      "condition": "${contexts.router.originalUri.host == 'myhost.example.com' and allowed[request.uri.path] == 'ok'}",
      "handler": {
        "type": "Chain",
    ...

    Thanks,
    Andrew.

    #25502
     violette 
    Participant

    Hello Andrew,

    It looks like you just hit a bug!
    I created OPENIG-3609. Indeed, it seems that we can’t access properties in route condition when the properties are defined in the route.
    However, if you declare your properties in a config.json, you should be able to use them in the route condition.

    #25508
     andwalker@deloitte.com.au 
    Participant

    Thanks Violette. I’m now trying to load properties from a file into config.json and use them in the route, however it is also giving me an error:

    [http-nio-8180-exec-1] WARN  org.forgerock.openig.el.Expression @system - An error occurred while evaluating the expression ${contexts.router.originalUri.host == 'openam.example.com' and uris.allowed-uris['one'] == 'ok'}
    javax.el.ELException: Cannot coerce 'ok' of class java.lang.String to class java.lang.Long (incompatible value)
    	at de.odysseus.el.misc.TypeConverterImpl.coerceToLong(TypeConverterImpl.java:172)

    In config.json I have:

    "properties" : {
        "uris": { "$location": "${fileToUrl(openig.configDirectory)}/allowed-openam-apis.properties" }
      },

    The allowed-openam-apis.properties file has:

    {
      "allowed-uris": {
        "one": "ok"
      }
    }
    

    And the route condition is:
    "condition": "${contexts.router.originalUri.host == 'openam.example.com' and uris.allowed-uris['one'] == 'ok'}"

    Could please let me know if what I’ve done above should work?

    I also used a HeaderFilter to check the value of the the expression uris.allowed-uris[‘one’] and it is returning a value of 0.

    Also with a bit more experimentation I observed that a simple value in config.json will work, for example, if the properties are:

      "properties" : {
        "allowed-uris": {"one": "ok"},
        "allowed": "ok"
      }

    then the expression ${allowed == ‘ok’} returns true.

    #25529
     violette 
    Participant

    It seems that Juel does not like the - in the named properties, it interprets it as a number. Remove the dashes from the properties names and it should solve the issue.
    Moreover, rename the file allowed-openam-apis.properties into allowed-openam-apis.json as .properties files are interpreted/read differently.
    Otherwise, it should work!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?