Package org.forgerock.openig.ping.protect

Class PingOneProtectFeedbackFilter

java.lang.Object

org.forgerock.openig.ping.protect.PingOneProtectFeedbackFilter

All Implemented Interfaces:

Filter

public class PingOneProtectFeedbackFilter
extends Object
implements Filter

The PingOneProtectFeedbackFilter provides a feedback mechanism to capture the outcome of actions completed as a result of the risk evaluation. That is, it enables us to update PingOne Protect and internal assumptions based on the actions configured in the route for a given risk-level. It registers a completion status with PingOne Protect.

On failure to feedback to PingOne Protect, the flow will continue, therefore allowing or denying access, and resetting the post-evaluation assumed risk-level only. The result of post-evaluation actions will not have been reported back to PingOne Protect.

 {
      "type": ["PingOneProtectFeedbackSuccessFilter"|"PingOneProtectFeedbackFailureFilter"] (1),
      "config": {
         "pingOneService"  : Config Expression<URI> [REQUIRED - The PingOne environment service endpoint.]
         "postEvaluationAssumedRiskLevel" : Expression<String>
                                                    [OPTIONAL - Configure to reset the local session state risk level
                                                                with this "assumed" value - see note (2). Default is
                                                                unset, meaning no update will be made.]
      }
  }
  
 

Notes:

1. Filter type configuration may be provided concisely using either "PingOneProtectFeedbackSuccessFilter" or "PingOneProtectFeedbackFailureFilter", respectively to report successful or failed post-evaluation actions to PingOne Protect. The selection of one or the other determines the reported completion status.
2. The 'postEvaluationAssumedRiskLevel' enables the cached evaluation level to be reset based on assumptions made, due to the request arriving at this particular point in the route. This provides a usability trade-off when operating within a "throttle period" (see PingOneProtectEvaluationFilter 'lowRiskThrottlePeriod' field). It enables subsequent requests to be managed by assumptions derived from the request's progress through the route (notably post-evaluation actions). For instance, the assumed risk level may be reduced on successful post-evaluation actions, in order to avoid users having to repeat authentication/ authorization actions. On the contrary, it may be increased on verification failure.

The example configuration below illustrates reporting a successful post-evaluation result to PingOne Protect:

 {
     "name" : "reportVerificationSuccess",
     "type" : "PingOneProtectFeedbackSuccessFilter",
     "config" : {
       "pingOneService" : "MyPingOneEnv",
       "postEvaluationAssumedRiskLevel" : "low"
     }
 }
 
 

Notes:

• The pingOneService endpoint is the base riskEvaluations URI only (the evaluationId parameter is managed internally).
• Note that the location of this filter in a route is important to only feedback once the result of post-evaluation actions is definitively known to have been successful (or failed in the opposite case).
• The 'postEvaluationAssumedRiskLevel' here indicates the locally assumed risk level will be reset to 'low'.

The example configuration below illustrates reporting a failed post-evaluation result to PingOne Protect:

 {
     "name" : "reportVerificationFailure",
     "type" : "PingOneProtectFeedbackFailureFilter",
     "config" : {
       "pingOneService" : "MyPingOneEnv"
     }
 }
 
 

See Also:

• PingOneService
• PingOneProtectEvaluationFilter
• PingOneProtectEvaluationContext

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	PingOneProtectFeedbackFilter.FeedbackFailureHeaplet	Creates and initialises a PingOneProtectFeedbackFilter in a heap environment, enabling feedback to PingOne Protect of failed completion of post-evaluation actions.
static final class	PingOneProtectFeedbackFilter.FeedbackSuccessHeaplet	Creates and initialises a PingOneProtectFeedbackFilter in a heap environment, enabling feedback to PingOne Protect of successful completion of post-evaluation actions.

Method Summary

Modifier and Type	Method	Description
Promise<Response,NeverThrowsException>	filter(Context context, Request request, Handler next)	Filters the request and/or response of an exchange.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

filter

public Promise<Response,NeverThrowsException> filter(Context context,
 Request request,
 Handler next)

Description copied from interface: Filter

Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

Specified by:

filter in interface Filter

Parameters:

context - The request context.

request - The request.

next - The next filter or handler in the chain to handle the request.

Returns:

A Promise representing the response to be returned to the client.