public class PasswordReplayFilterHeaplet extends GenericHeaplet
A variation on the first case is possible: it can let the request flow and extract values from the server's response.
This filter supports value extraction for any server-provided values that would be re-used in the authentication request.
Credentials must be installed by a filter that will only be placed in a chain when needed (in case they're not
already there). If required (and if the credentials are available as request headers), we can decrypt them using a
CryptoHeaderFilter
.
Then an authentication request is built (using a StaticRequestFilter
) and sent down the chain.
Note that:
When a GET request to the login page is intercepted, OpenIG will generate an alternative authentication request and send it in place of the original request. The response is forwarded as-is to the caller. All other requests are forwarded untouched.
{
"loginPage": "${matches(request.uri.path, '/login') and (request.method == 'GET')}",
"request": {
"method": "POST",
"uri": "http://internal.example.com/login",
"form": {
"username": [ "${attributes.username}" ],
"password": [ "${attributes.password}" ]
}
}
}
When a response that is identified to be a login page is intercepted, OpenIG will generate an authentication request and send it. The authentication response is ignored ATM. Then OpenIG replays the original incoming request.
{
"loginPageContentMarker": "I'm a login page",
"request": {
"method": "POST",
"uri": "http://internal.example.com/login",
"headers": {
"X-OpenAM-Username": [ "${attributes.username}" ],
"X-OpenAM-Password": [ "${attributes.password}" ]
}
}
}
credentials
attribute) to invoke an additional
Filter that would be responsible to obtain credentials and make them available in the request processing data
structures. These values can then be used to create an appropriate authentication request.
The credentials
attribute expects a reference to a Filter
heap object.
Examples of such filters can be FileAttributesFilter
(to load credentials from a local CSV file)
or SqlAttributesFilter
(to load credentials from a database).
{
"loginPageContentMarker": "I'm a login page",
"credentials": {
"type": "FileAttributesFilter",
"config": {
"file": "${system.home}/users.csv",
"key": "uid",
"value": "${attributes.whoami}",
"target": "${attributes.user}"
}
}
"request": {
"method": "POST",
"uri": "http://internal.example.com/login",
"headers": {
"X-OpenAM-Username": [ "${attributes.user.uid}" ],
"X-OpenAM-Password": [ "${attributes.user.password}" ]
}
}
}
Multiple values can be extracted at once, extraction is based on pattern matching (and use a
EntityExtractFilter
under the hood).
As opposed to the EntityExtractFilter, only 1 group is supported, and matched group value is placed in
the results. All extracted values will be placed in a Map available in
attributes.extracted.
{
"loginPageContentMarker": "I'm a login page",
"loginPageExtractions": [
{
"name": "nonce",
"pattern": " nonce='(.*)'"
}
],
"request": {
"method": "POST",
"uri": "http://internal.example.com/login",
"form": {
"username": [ "${attributes.username}" ],
"password": [ "${attributes.password}" ]
"nonce": [ "${attributes.extracted.nonce}" ]
}
}
}
This filter use a CryptoHeaderFilter
to do the decryption of values. Note that it only decrypts and
always acts on the request flow. All other attributes are the same as those used for configuring a normal
CryptoHeaderFilter
.
Note that this is only one example usage, as soon as there are encrypted values in headers, this function is here to decrypt them in place if needed.
{
"loginPageContentMarker": "I'm a login page",
"headerDecryption": {
"algorithm": "DES/ECB/NoPadding",
"key": "....",
"keyType": "DES",
"headers": [ "X-OpenAM-Password" ]
},
"request": {
"method": "POST",
"uri": "http://internal.example.com/login",
"form": {
"username": [ "${request.headers['X-OpenAM-Username'][0]}" ],
"password": [ "${request.headers['X-OpenAM-Password'][0]}" ]
}
}
}
Constructor and Description |
---|
PasswordReplayFilterHeaplet() |
Modifier and Type | Method and Description |
---|---|
Object |
create()
Called to request the heaplet create an object.
|
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, start
public Object create() throws HeapException
GenericHeaplet
Heaplet.create(Name, JsonValue, Heap)
after initializing
the protected field members. Implementations should parse configuration
but not acquire resources, start threads, or log any initialization
messages. These tasks should be performed by the GenericHeaplet.start()
method.create
in class GenericHeaplet
HeapException
- if an exception occurred during creation of the heap object
or any of its dependencies.Copyright 2011-2017 ForgeRock AS.