Package org.forgerock.openig.ping.protect

Class PingOneProtectDeviceProfileFilter

java.lang.Object
org.forgerock.openig.ping.protect.PingOneProtectDeviceProfileFilter
All Implemented Interfaces:
Filter
public class PingOneProtectDeviceProfileFilter extends Object implements Filter
If configured and enabled, the PingOneProtectDeviceProfileFilter gathers a "device profile" from the client for the purpose of providing additional evaluation signals to PingOne Protect. The device profile is gathered prior to conducting a risk evaluation. The device profile has a lifetime, after which it expires and must be retrieved again (prior to the next evaluation).

This filter always creates a PingOneProtectDeviceProfileContext, which may contain a deviceProfile if it is known (i.e. if it has previously been obtained and not yet expired).

When device profiling is configured and enabled, the flow is as follows:

  1. On first access, this filter creates a PingOneProtectDeviceProfileContext containing only the device profiling state (no deviceProfile at this stage).
  2. Prior to making a PingOne Protect risk evaluation, the PingOneProtectEvaluationFilter will first obtain the deviceProfile. This is not yet present in the PingOneProtectDeviceProfileContext, and so must be retrieved from the client. The evaluation filter returns an 'OK' response signalling a device profile request to the PingOneProtectDeviceProfileContext.
  3. On the response flow, the PingOneProtectDeviceProfileFilter detects the device profile request and (using the SDK config), generates and includes the formPOST in the response. The response is propagated onwards to the user-agent, enabling the PingOne Protect SDK to conduct device profiling.
  4. The formPOST re-posts to PingGateway on the "callbackEndpoint", which unwraps the collected deviceProfile and transforms it into a cookie (named according to config "cookieName"). The generated cookie expires after maxAge based on the value of "lifetime".
  5. The flow is then redirected back to the original request, with the deviceProfile cookie attached.
  6. Back in the original request flow, the PingOneProtectDeviceProfileFilter again populates a PingOneProtectDeviceProfileContext, but this time including the deviceProfile.
  7. The flow progresses again to the PingOneProtectEvaluationFilter, which is now able to include the deviceProfile in the risk evaluation request to PingOne Protect.
  8. This deviceProfile will be available for all subsequent risk evaluation requests on this session, until its lifetime expires. At that point we repeat the device profiling process.
Notes:
  1. This filter is not Heap-defined as it is not intended to form part of configuration. It is expected to be included directly by the PingOneProtectEvaluationFilter when configured as part of its config.
  2. The deviceProfile cookie may be large (10Kb) and so is split in transit.
See Also:

  • Method Details

    • filter

      public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
      Description copied from interface: Filter
      Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

      This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

      Specified by:
      filter in interface Filter
      Parameters:
      context - The request context.
      request - The request.
      next - The next filter or handler in the chain to handle the request.
      Returns:
      A Promise representing the response to be returned to the client.