Class AllowOnlyFilter

  • All Implemented Interfaces:
    Filter

    public class AllowOnlyFilter
    extends Object
    implements Filter
    This filter authorizes a request to continue processing if any of the declared rules is satisfied (logical or). If not, the configured failure Handler is invoked (returns a 401 Unauthorized by default).

    A rule may permit a request from a 'from' to a 'destination' destination if any 'when' expression set is evaluated to true.

     "type": "AllowOnlyFilter",
     "config": {
         "rules"                     :   Rule[]           [REQUIRED] - A request is authorized if one rule is evaluated to
                                                              true.
                                                              Must contain at least one element.
             "name"                  :   String           [OPTIONAL] - The request name, may be useful while debugging.
             "from"                  :   From[]           [OPTIONAL] - Predicate group specialized in the request's
                                                              sender.
                                                              Evaluated to true if all its predicates are
                                                              true. Must contain at least one element.
                 "ip"                :   ip               [OPTIONAL] - Verify if the last request sender (direct client)
                                                              has its IP address in a specific CIDR IP address range.
                     "list"          :   String[]         [REQUIRED] - The IP Address ranges. Must contain at least one
                                                              element.
                     "resolver"      :   expression       [OPTIONAL] - An expression that return an IP Address as a
                                                              string.
                 "certificate"       :   certificate[]    [OPTIONAL] - Verify the Distinguished Name of the client through
                                                              its X509 certificate.
                     "subjectDNs"    :   Pattern[]        [REQUIRED] - The allowed DN pattern list. Must contain at least
                                                              one element. You can use regex Flags with tis syntax :
                                                              (?i:cn=test).
             "destination"           :   Destination[]    [OPTIONAL] - Predicate group specialized in the request's
                                                              destination.
                                                              Evaluated to true if all its predicates are
                                                              true. Must contain at least one element.
                 "hosts"             :   String[]         [OPTIONAL] - Verify if the destination's hostname matches one of
                                                              the given patterns. Must contain at least one element.
                 "ports"             :   String[]         [OPTIONAL] - Verify if the destination's port is in a port range
                                                              whitelist.
                                                              Both single port and port ranges are supported
                                                              (ie : ["80", "10:20"]) Must contain at least one element.
                 "methods"           :   String[]         [OPTIONAL] - Verify if the destination's HTTP method is in a
                                                              method whitelist. Must contain at least one element.
                 "paths"             :   Regex[]          [OPTIONAL] - Verify if the destination's path matches one of the
                                                              given patterns. Must contain at least one element.
             "when"                  :   expression       [OPTIONAL] - Evaluate the expression with the request and the
                                                              context.
         "failureHandler"            :   Reference        [OPTIONAL] A reference to a Handler in the Heap.
      }
     

    Example :

     
         {
             "type": "AllowOnlyFilter",
             "config": {
                 "rules": [
                     {
                         "name": "my first rule" // Optional.
                         "from": [
                              {
                                  "ip": {
                                      "list": ["127.0.0.1", "10.192.168.0/24"],
                                      "resolver": "${request.headers['X-Forwarded-For'][0]}"
                                  }
                              }
                         ]
                         "destination": [
                             {
                                 "hosts": ["myhost1\.com", "www\.myhost1\.com"],
                                 "ports": ["80", "90:100", "20000:40000"],
                                 "methods": ["POST", "GET"],
                                 "paths": ["/user/.*", "/unknown_user/.*"]
                             },
                                                                      // OR between the 2 destinations
                             {
                                 "ports": [8080]
                             }
                         ],
                                                                     // AND between theses 2 statements
                         "when": "${not empty request.headers['foo']}"
                     },
                                                                      // OR between the rules.
                     {
                         "when": "${request.headers['h2'][0] == 'val2'}"
                     }
                 ],
                 "failureHandler": "myHandlerDefinedInTheHeap" // Optional, when not set it returns a HTTP 401
             }
         }
     
     
    • Constructor Detail

      • AllowOnlyFilter

        public AllowOnlyFilter​(org.forgerock.openig.filter.allow.TraceablePredicate predicate,
                               Handler failureHandler,
                               org.forgerock.openig.filter.allow.ReporterFactory reporterFactory)
        Constructs an AllowOnlyFilter.
        Parameters:
        predicate - The predicate to evaluate.
        failureHandler - The error handler to trigger if the predicate is not successful.
        reporterFactory - The factory which will create on-demand reporters.
    • Method Detail

      • filter

        public Promise<Response,​NeverThrowsException> filter​(Context context,
                                                                   Request request,
                                                                   Handler next)
        Description copied from interface: Filter
        Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

        This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

        Specified by:
        filter in interface Filter
        Parameters:
        context - The request context.
        request - The request.
        next - The next filter or handler in the chain to handle the request.
        Returns:
        A Promise representing the response to be returned to the client.