This chapter contains templates of common configurations. Start with one of our templates and then modify to suit your deployment. Read the summary of each template to find the right match for your application. If you are not sure about the characteristics of your application, start with the basic Application Capture template. This template allows you to setup basic proxying and capture the traffic of the login sequence in a flat file, which then allows you to analyze the application and subsequently choose the right template or add your own configuration.
All templates have the CaptureFilter enabled by default. Remove the capture filter from the outgoing chain before running the gateway in production. Capturing is typically used only for initial development or debugging and may rapidly fill up your available disk space if left enabled.
Substitute the TARGETIP tag with the IP address of
your application.
Modify the LoginRequest filter to match the form
required for login by your target application.
Proxies all requests and captures them in a flat file. Use this
template if you need to analyze the traffic for your application. Simply
change the baseURI to be that of the target application,
restart OpenIG, and login to the application. The entire sequence is logged
to the flat file.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.scheme == 'http'}",
"handler": "OutgoingChain",
"baseURI": "http://TARGETIP"
},
{
"condition": "${exchange.request.uri.path == '/login'}",
"handler": "LoginChain",
"baseURI": "https://TARGETIP"
},
{
"handler": "OutgoingChain",
"baseURI": "https://TARGETIP"
}
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": [],
"handler": "OutgoingChain"
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": [
"CaptureFilter"
],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log"
}
},
{
"name": "ClientHandler",
"comment": "Sends all requests to remote servers.",
"type": "ClientHandler",
"config": {}
}
]
},
"servletObject": "HandlerServlet"
}Logs the user into the target application with hard-coded user name and password. This template intercepts the login page request and replaces it with the login form.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Entry point that transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler",
"baseURI":"http://TARGETIP"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.path == '/login'}",
"handler": "LoginChain",
},
{
"handler": "OutgoingChain",
},
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": ["LoginRequest"],
"handler": "OutgoingChain"
}
},
{
"name": "LoginRequest",
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "https://TARGETIP/login",
"form": {
"USER": ["myusername"],
"PASSWORD": ["mypassword"],
}
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log",
}
},
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
For applications that expect a cookie from the login page to be sent in the login request form. This templates allows the login page request to go through to the target, intercepts the response, then creates the login form and adds the intercepted cookie to the POST.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Entry point that transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler",
"baseURI":"http://TARGETIP"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.path == '/eum/login'}",
"handler": "LoginChain",
},
{
"handler": "OutgoingChain",
},
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": ["SwitchFilter"],
"handler": "OutgoingChain"
}
},
{
"name": "SwitchFilter",
"type": "SwitchFilter",
"config": {
"onResponse": [
{
"handler": "LoginRequestHandler"
}
]
}
},
{
"name": "LoginRequestHandler",
"type": "Chain",
"config": {
"filters": ["LoginRequest"],
"handler": "OutgoingChain"
}
},
{
"name": "LoginRequest",
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "https://TARGETIP/login",
"form": {
"USER": ["myusername"],
"PASSWORD": ["mypassword"],
}
"headers": {
"cookie": ["${exchange.response.headers['Set-Cookie'][0]}"],
}
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log",
}
},
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
For applications that return the login page when the user tries to
access a page without a valid session. This template shows how to use the
ExtractFilter to find the login page on the response and
use the CookieFilter to ensure the cookies from the
application are replayed on each request. The sample application in this
template is OpenAM. If you change the TARGETIP:PORT to be
the IP address of OpenAM, the TARGETDN:PORT to be the
fully qualified name and port of OpenAM and modify USERNAME
and PASSWORD in the LoginRequest you
automatically log USERNAME into OpenAM.
Without the CookieFilter in the
OutgoingChain the cookie set in the login page response
would not get set in the browser since that request is intercepted before
it gets to the browser. The simplest way to deal with this situation is to
let OpenIG manage all the cookies by enabling the
CookieFilter. The side effect of OpenIG managing
cookies is none of the cookies are sent to the browser, but are managed
locally by OpenIG.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Entry point that transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "FindLoginPageChain",
"baseURI":"http://TARGETIP:PORT"
}
},
{
"name": "FindLoginPageChain",
"type": "Chain",
"config": {
"filters": ["IsLoginPage","FindLoginPage"],
"handler": "OutgoingChain"
}
},
{
"name": "FindLoginPage",
"type": "EntityExtractFilter",
"config": {
"messageType": "response",
"target": "${exchange.isLoginPage}",
"bindings": [
{
"key": "found",
"pattern": "OpenAM\s\(Login\)",
"template": "true"
}
]
}
},
{
"name": "IsLoginPage",
"type": "SwitchFilter",
"config": {
"onResponse": [
{
"condition": "${exchange.isLoginPage.found == 'true'}",
"handler": "LoginChain"
}
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": ["LoginRequest"],
"handler": "OutgoingChain"
}
},
{
"name": "LoginRequest",
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "http://TARGETIP:PORT/openam/UI/Login"
"form": {
"IDToken0":[""]
"IDToken1":["USERNAME"]
"IDToken2":["PASSWORD"]
"IDButton":["Log+In"]
"encoded":["false"]
},
"headers": {
"host":["TARGETFQDN:PORT"]
}
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CookieFilter","CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CookieFilter",
"type": "CookieFilter",
"config": {
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": true,
"file": "/tmp/gateway.log",
}
},
{
"name": "LogSink",
"comment": "Default sink for logging information.",
"type": "ConsoleLogSink",
"config": {
"level": "DEBUG",
}
}
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
Extracts a hidden value from the login page and includes it in the login form POSTed to the target application.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Entry point that transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler",
"baseURI":"http://TARGETIP"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.path == '/login'}",
"handler": "LoginChain",
},
{
"handler": "OutgoingChain",
},
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": ["HiddenValueExtract","LoginRequest"],
"handler": "OutgoingChain"
}
},
{
"name": "HiddenValueExtract",
"type": "EntityExtractFilter",
"config": {
"messageType": "response",
"target": "${exchange.hiddenValue}",
"bindings": [
{
"key": "value",
"pattern": "wpLoginToken\"\s.*value=\"(.*)\"",
"template": "$1"
}
]
}
},
{
"name": "LoginRequest",
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "https://TARGETIP/login",
"form": {
"USER": ["myusername"],
"PASSWORD": ["mypassword"],
"hiddenValue": ["${exchange.hiddenValue.value}"],
}
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log",
}
},
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
Proxies traffic to an application listening on ports 80 and 443. The
assumption is the application uses HTTPS for authentication and HTTP for the
general application features. Assuming the login will all take place on
port 443, you will need to add the login filters and handlers to the
LoginChain. To get started quickly, modify the
baseURI to be the IPAddress of your
target application. This should allow you to proxy all traffic to the
application. Then add the logic for the LoginChain using
the flow from one of the login templates.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Entry point that transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler",
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.scheme == 'http'}",
"handler": "OutgoingChain",
"baseURI":"http://TARGETIP"
},
{
"condition": "${exchange.request.uri.path == '/login'}",
"handler": "LoginChain",
"baseURI":"https://TARGETIP"
},
{
"handler": "OutgoingChain",
"baseURI":"https://TARGETIP"
},
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": [],
"handler": "OutgoingChain"
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log",
}
},
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
Shows how a single OpenIG configuration can proxy to multiple
applications on different IPs and ports. This template is setup to proxy to
both the WordPress and MediaWiki hosted samples. OpenIG must be setup to
listen on both ports 8080 and 8181. The DispatchHandler is
used to route each incoming request to either the WordPress chain or the
MediaWiki chain.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.host == 'demo.forgerock.com'}",
"handler": "WordPressLoginChain",
"baseURI":"http://109.73.67.52:8080",
},
{
"condition": "${exchange.request.uri.host == 'demo.forgerock.com'}",
"handler": "MediaWikiLoginChain",
"baseURI":"http://109.73.67.52:8181"
}
]
}
},
{
"name": "WordPressLoginChain",
"type": "Chain",
"config": {
"filters": [],
"handler": "OutgoingChain"
}
},
{
"name": "MediaWikiLoginChain",
"type": "Chain",
"config": {
"filters": [],
"handler": "OutgoingChain"
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log"
}
},
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
Logs the user into the target application using the headers passed down from an OpenAM policy agent. This template assumes the user name and password are passed down by the OpenAM policy agent as headers. If the header passed in contains only a user name or subject and requires a lookup to an external data source, you must add an attribute filter to the chain to retrieve the credentials.
{
"heap": {
"objects": [
{
"name": "HandlerServlet",
"comment": "Entry point that transforms Servlet request to handler request.",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler",
"baseURI":"http://TARGETIP"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.path == '/login'}",
"handler": "LoginChain",
},
{
"handler": "OutgoingChain",
},
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": ["LoginRequest"],
"handler": "OutgoingChain"
}
},
{
"name": "LoginRequest",
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "https://TARGETIP/login",
"form": {
"USER": ["${exchange.request.headers['username'][0]}"],
"PASSWORD": ["${exchange.request.headers['password'][0]}"],
}
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log",
}
},
{
"name": "ClientHandler",
"comment": "Responsible for sending all requests to remote servers.",
"type": "ClientHandler",
"config": {
}
}
]
},
"servletObject": "HandlerServlet",
}
A sample template used to log a user into Microsoft Online Outlook Web Access. This template shows how you would use the Gateway and the OpenAM password capture feature to integrate with OWA. You can follow the Tutorial On Password Capture & Replay tutorial and substitute this template.
{
"heap": {
"objects": [
{
"name": "LogSink",
"comment": "Default sink for logging information.",
"type": "ConsoleLogSink",
"config": {
"level": "DEBUG",
}
},
{
"name": "HandlerServlet",
"type": "HandlerServlet",
"config": {
"handler": "DispatchHandler",
"baseURI":"https://65.55.171.158"
}
},
{
"name": "DispatchHandler",
"type": "DispatchHandler",
"config": {
"bindings": [
{
"condition": "${exchange.request.uri.path == '/owa/auth/logon.aspx'}",
"handler": "LoginChain",
},
{
"handler": "OutgoingChain",
}
]
}
},
{
"name": "LoginChain",
"type": "Chain",
"config": {
"filters": ["CryptoHeaderFilter","LoginRequest"],
"handler": "OutgoingChain"
}
},
{
"name": "CryptoHeaderFilter",
"type": "CryptoHeaderFilter",
"config": {
"messageType":"REQUEST",
"operation":"DECRYPT",
"algorithm":"DES/ECB/NoPadding",
"key":"DESKEY",
"keyType":"DES",
"charSet":"utf-8",
"headers": ["password"],
},
},
{
"name": "LoginRequest",
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "https://65.55.171.158/owa/auth/owaauth.dll",
"headers" : {
"Host": ["red001.mail.microsoftonline.com"],
"Content-Type": ["Content-Type:application/x-www-form-urlencoded"],
}
"form": {
"destination": ["https://red001.mail.microsoftonline.com/owa/"],
"forcedownlevel": ["0"],
"trusted": ["0"],
"username": ["${exchange.request.headers['username'][0]}"],
"password": ["${exchange.request.headers['password'][0]}"],
"isUtf8": ["1"],
}
}
},
{
"name": "OutgoingChain",
"type": "Chain",
"config": {
"filters": ["HeaderFilter","CaptureFilter"],
"handler": "ClientHandler"
}
},
{
"name": "HeaderFilter",
"type": "HeaderFilter",
"config": {
"messageType":"REQUEST",
"remove": ["password","username"],
}
},
{
"name": "CaptureFilter",
"type": "CaptureFilter",
"config": {
"captureEntity": false,
"file": "/tmp/gateway.log",
}
},
{
"name": "ClientHandler",
"type": "ClientHandler",
"config": {
}
},
]
},
"servletObject": "HandlerServlet",
}