OpenIG as PEP with Access Denied Page

This topic has 5 replies, 3 voices, and was last updated 4 years, 11 months ago by aktokas.

  • Author
    Posts
  • #20138
     aktokas
    Participant

    Hi Everyone,

    I am using an OPenIG setup as PEP with OpenAM. Everything is working fine in authentication and redirection.
    Currently when a user who is not authorized tries to access the resource faces a blank page.
    But, i want to add an ACCESS DENIED PAGE when the user does not meet the Authorization conditions.(Like we can do in J2EE & WebAgents).
    For, adding this Access Denied page i have tried to use – Switch Filter with response code 403 but it does not seem to work.

    Attaching pep.json file for reference. along with OPenIG log for an Authorized access.

    #20139
     aktokas
    Participant

    PEP JSON FILE

    {
    “baseURI”: “http://marvelstudios.starkindustries.com:8081/”,
    “handler”: {
    “type”: “DispatchHandler”,
    “config”: {
    “bindings”: [{
    “comment”: “Redirect to OpenAM authentication”,
    “name”: “OpenAM Authentication”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] == null}”,
    “handler”: {
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 302,
    “reason”: “Found”,
    “headers”: {
    “Location”: [
    https://openam.starkindustries.com:7773/openam/XUI/#login/marvel/&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}”
    ]
    },
    “entity”: “Redirecting to OpenAM for authentication…”
    },
    “capture”: “all”
    }
    },

    {
    “comment”: “OpenAM Authorization chain for policy validation and attributes retrieval”,
    “name”: “OpenAM Authorization Chain”,
    “condition”: “${request.cookies[‘iPlanetDirectoryPro’] != null}”,
    “handler”: {
    “type”: “Chain”,
    “config”: {
    “filters”: [{
    “comment”: “OpenAM Authorization check filter”,
    “name”: “OpenAM Authorization”,
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”
    },
    “capture”: “all”
    },

    {
    “type”: “PasswordReplayFilter”,
    “config”: {
    “loginPage”: “${true}”,
    “credentials”: {
    “type”: “PolicyEnforcementFilter”,
    “config”: {
    “openamUrl”: “https://openam.starkindustries.com:7773/openam/”,
    “pepUsername”: “ak.tokas”,
    “pepPassword”: “password”,
    “realm”: “Marvel”,
    “application”: “OPENIG”,
    “ssoTokenSubject”: “${request.cookies[‘iPlanetDirectoryPro’][0].value}”,
    “claimsSubject”: “${attributes.claimsSubject}”,
    “target”: “${attributes.currentPolicy}”
    }
    },
    “request”: {
    “method”: “POST”,
    “uri”: “http://marvelstudios.starkindustries.com:8081”,
    “form”: {
    “username”: [
    “${attributes.currentPolicy.attributes.mail[0]}”
    ],
    “password”: [
    “${attributes.currentPolicy.attributes.employeeNumber[0]}”
    ]
    }
    }
    }
    },

    {
    “name”: “SwitchFilter”,
    “type”: “SwitchFilter”,
    “config”: {
    “onResponse”: [{
    “condition”: “${exchange.response.status == 403}”,
    “handler”: {
    “name”: “AccessDeniedHandler”,
    “type”: “StaticResponseHandler”,
    “config”: {
    “status”: 403,
    “reason”: “NOT Found”,
    “entity”: “<html><head><Title>Apache Website</Title></head><body><h1 align = center > -ACCESS DENIED – </h1>Kindly Contact Administrator</body></html>”
    }
    }
    }]
    }
    }

    ],
    “handler”: “ClientHandler”
    }
    }
    }

    ]
    }
    },
    “condition”: “${matches(request.uri.path, ‘^/pep’)}”,
    “session”: “JwtSession”
    }

    #20141
     aktokas
    Participant

    In this setup, i am still facing the blank page when i try to access the resource from an unauthorized account. But everything works fine when the user is authorized.

    Kindly Ignore Marvel and Starkindustries in the URLs :P

    #20151
     jochenr
    Participant

    Hi,

    From IG version 5+ the PolicyEnforcementFilter has a failurehandler where you can call the StaticResponseHandler handling custom logic for the 403.

    More information about this can be found here: PolicyEnforcementFilter

    Regards,
    Jochen

    #20152
     violette
    Participant

    Or you can put the SwitchFilter just before the PolicyEnforcementFilter. Actually, with your configuration, the request is denied and the response is returned before entering your SwitchFilter.
    If you put it before, if the access is denied, it will go through the SwitchFilter

    See https://ea.forgerock.com/docs/openig/doc/gateway-guide/index.html#figure-chain to see how the flow works

    #20170
     aktokas
    Participant

    Thanks Jochen & Violette for the quick responses.. For now i am using OpenIG 4.0.

    Violette i tried to use the switch filter before PolicyEnforcementFilter but i am still facing the blank page issue.. Since i am using 2 policyenforcement filters in my configuration i am getting 403 forbidden response twice but my switch filter is unable to recognize anyone of it..for testing: i used switch filter before both the policyenforcement filters..

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?