Class AllowOnlyFilter
- java.lang.Object
-
- org.forgerock.openig.filter.allow.AllowOnlyFilter
-
- All Implemented Interfaces:
Filter
public class AllowOnlyFilter extends Object implements Filter
This filter authorizes a request to continue processing if any of the declared rules is satisfied (logical or). If not, the configured failure Handler is invoked (returns a 401 Unauthorized by default).A rule may permit a request from a 'from' to a 'destination' destination if any 'when' expression set is evaluated to true.
"type": "AllowOnlyFilter", "config": { "rules" : Rule[] [REQUIRED] - A request is authorized if one rule is evaluated to
true
. Must contain at least one element. "name" : String [OPTIONAL] - The request name, may be useful while debugging. "from" : From[] [OPTIONAL] - Predicate group specialized in the request's sender. Evaluated totrue
if all its predicates aretrue
. Must contain at least one element. "ip" : ip [OPTIONAL] - Verify if the last request sender (direct client) has its IP address in a specific CIDR IP address range. "list" : String[] [REQUIRED] - The IP Address ranges. Must contain at least one element. "resolver" : expression [OPTIONAL] - An expression that return an IP Address as a string. "certificate" : certificate[] [OPTIONAL] - Verify the Distinguished Name of the client through its X509 certificate. "subjectDNs" : Pattern[] [REQUIRED] - The allowed DN pattern list. Must contain at least one element. You can use regex Flags with tis syntax :(?i:cn=test)
. "destination" : Destination[] [OPTIONAL] - Predicate group specialized in the request's destination. Evaluated totrue
if all its predicates aretrue
. Must contain at least one element. "hosts" : String[] [OPTIONAL] - Verify if the destination's hostname matches one of the given patterns. Must contain at least one element. "ports" : String[] [OPTIONAL] - Verify if the destination's port is in a port range whitelist. Both single port and port ranges are supported (ie : ["80", "10:20"]) Must contain at least one element. "methods" : String[] [OPTIONAL] - Verify if the destination's HTTP method is in a method whitelist. Must contain at least one element. "paths" : Regex[] [OPTIONAL] - Verify if the destination's path matches one of the given patterns. Must contain at least one element. "when" : expression [OPTIONAL] - Evaluate the expression with the request and the context. "failureHandler" : Reference [OPTIONAL] A reference to a Handler in the Heap. }Example :
{ "type": "AllowOnlyFilter", "config": { "rules": [ { "name": "my first rule" // Optional. "from": [ { "ip": { "list": ["127.0.0.1", "10.192.168.0/24"], "resolver": "${request.headers['X-Forwarded-For'][0]}" } } ] "destination": [ { "hosts": ["myhost1\.com", "www\.myhost1\.com"], "ports": ["80", "90:100", "20000:40000"], "methods": ["POST", "GET"], "paths": ["/user/.*", "/unknown_user/.*"] }, // OR between the 2 destinations { "ports": [8080] } ], // AND between theses 2 statements "when": "${not empty request.headers['foo']}" }, // OR between the rules. { "when": "${request.headers['h2'][0] == 'val2'}" } ], "failureHandler": "myHandlerDefinedInTheHeap" // Optional, when not set it returns a HTTP 401 } }
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
AllowOnlyFilter.Heaplet
Creates anAllowOnlyFilter
in aHeap
environment.
-
Constructor Summary
Constructors Constructor Description AllowOnlyFilter(org.forgerock.openig.filter.allow.TraceablePredicate predicate, Handler failureHandler, org.forgerock.openig.filter.allow.ReporterFactory reporterFactory)
Constructs anAllowOnlyFilter
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<Response,NeverThrowsException>
filter(Context context, Request request, Handler next)
Filters the request and/or response of an exchange.
-
-
-
Constructor Detail
-
AllowOnlyFilter
public AllowOnlyFilter(org.forgerock.openig.filter.allow.TraceablePredicate predicate, Handler failureHandler, org.forgerock.openig.filter.allow.ReporterFactory reporterFactory)
Constructs anAllowOnlyFilter
.- Parameters:
predicate
- The predicate to evaluate.failureHandler
- The error handler to trigger if the predicate is not successful.reporterFactory
- The factory which will create on-demand reporters.
-
-
Method Detail
-
filter
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Description copied from interface:Filter
Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request)
.This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)
and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.
-
-