PingGateway 2024.9

AdminHttpApplication (admin.json)

The AdminHttpApplication serves requests on the administrative route, such as the creation of routes and the collection of monitoring information. The administrative route and its subroutes are reserved for administration endpoints.

The configuration is loaded from a JSON-encoded file, expected at $HOME/.openig/config/admin.json. Objects configured in admin.json cannot be used by config.json or any PingGateway routes.

Default objects

PingGateway provides default objects in admin.json. To override a default object, configure an object with the same name in admin.json.

Configure default objects in admin.json and config.json separately. An object configured in admin.json with the same name as an object configured in config.json isn’t the same object.

AuditService

Records no audit events. The default AuditService is NoOpAuditService. Learn more from NoOpAuditService.

CaptureDecorator

Captures requests and response messages. The default CaptureDecorator is named capture, and uses the default settings given in CaptureDecorator.

When a capture point for the default CaptureDecorator is defined in a route, for example, when "capture: "all" is set as a top-level attribute of the JSON, log messages for requests and responses passing through the route are written to a log file in $HOME/.openig/logs.

When no capture point is defined in a route, only exceptions thrown during request or response processing are logged.

By default, request and response contexts and entities are not captured. Do one of the following to capture information:

  • Override the default capture decorator declaration, and set captureEntity to true.

  • Declare another CaptureDecorator object with an appropriate configuration and use it at your capture points.

The capture decorator logs information about the HTTP request and response messages, along with their respective headers.

ClientHandler

Communicates with third-party services. Learn more from ClientHandler.

ForgeRockClientHandler

Sends ForgeRock Common Audit transaction IDs when communicating with protected applications. The default ForgeRockClientHandler is a Chain, composed of a TransactionIdOutboundFilter and a ClientHandler.

IssuerRepository

A repository of Issuers declared in the heap. To overwrite the default issuer, configure a local IssuerRepository with the name IssuerRepository. To create a new IssuerRepository containing a subset of Issuers, configure a local IssuerRepository with a different name.

ProxyOptions

A proxy to which a ClientHandler or ReverseProxyHandler can submit requests, and an AmService can submit Websocket notifications. For more information, refer to ProxyOptions.

ReverseProxyHandler

Communicates with third-party services. For more information, refer to ReverseProxyHandler.

ScheduledExecutorService

Specifies the number of threads in a pool.

TemporaryStorage

Manages temporary buffers. For more information, refer to TemporaryStorage.

TimerDecorator

Records time spent within filters and handlers. The default TimerDecorator is named timer. For more information, refer to TimerDecorator.

TracingDecorator

Pushes traces to an OpenTelemetry service.

This capability is available in Technology preview. It isn’t yet supported, may be functionally incomplete, and is subject to change without notice.

Use this to decorate the following:

The default TracingDecorator is named tracing. PingGateway traces include Vert.x traces where applicable.

TransactionIdOutboundFilter

Inserts the ID of a transaction into the header of a request.

Provided objects

PingGateway creates the following objects when a filter with the name of the object is declared in admin.json:

"ApiProtectionFilter"

A filter to protect administrative APIs on reserved routes. By default, only the loopback address can access reserved routes.

For an example that uses an ApiProtectionFilter, refer to Set up the UMA example. For information about reserved routes, refer to Reserved routes.

"MetricsProtectionFilter"

A filter to protect the monitoring endpoints.

By default, the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint (deprecated) are open and accessible; no special credentials or privileges are required to access the monitoring endpoints.

For an example that uses a MetricsProtectionFilter, refer to Protect monitoring endpoints.

"StudioProtectionFilter"

A filter to protect the Studio endpoint when PingGateway is running in development mode.

When PingGateway is running in development mode, by default the Studio endpoint is open and accessible.

For an example that uses a StudioProtectionFilter, refer to Restrict access to Studio.

Usage

{
  "heap": [ object, ... ],
  "adminConnector": object,
  "connectors": [ object, ... ],
  "vertx": object,
  "gatewayUnits": configuration expression<number>,
  "mode": configuration expression<enumeration>,
  "prefix": configuration expression<string>, // deprecated
  "properties": object,
  "temporaryDirectory": configuration expression<string>,
  "temporaryStorage": TemporaryStorage reference,
  "pidFileMode": configuration expression<enumeration>,
  "preserveOriginalQueryString": configuration expression<boolean>,
  "session": object,
  "streamingEnabled": configuration expression<boolean>,
  "serveDeprecatedPrometheusEndpoint": configuration expression<boolean>,
  "openTelemetry": object
}

Properties

"heap": array of objects, optional

The heap object configuration, described in Heap objects.

"adminConnector": object, optional

Port configuration for administrative traffic. By default, PingGateway reserves all paths starting with /openig for administrative use.

{
  "adminConnector" : {
      "port": configuration expression<number>,
      "host": configuration expression<string>,
      "tls": ServerTlsOptions reference,
      "vertx": object,
      "maxTotalHeadersSize": configuration expression<integer>
    }
}
port: configuration expression<number>, required

The port where PingGateway listens for administrative connections.

host: configuration expression<string>, optional

The hostname where PingGateway listens for administrative connections.

If this is not "localhost" and you intend to permit connections from other systems, override the default ApiProtectionFilter that allows only connections from the loopback address by default. For example, permit connections from systems in the private network address range 192.168.0.0192.168.255.255:

{
  "name": "ApiProtectionFilter",
  "type": "AllowOnlyFilter",
  "config": {
    "rules": [
      {
        "name": "AdminAccessFromPrivateNetwork",
        "from": [
          {
            "ip": {
              "list": [
                "192.168.0.0/16"
              ]
            }
          }
        ],
        "destination": [
          {
            "hosts": [
              "ig.example.com"
            ],
            "ports": [
              "9444"
            ],
            "methods": [
              "POST",
              "GET"
            ],
            "paths": [
              "/openig/*"
            ]
          }
        ]
      }
    ],
    "failureHandler": {
      "type": "StaticResponseHandler",
      "config": {
        "status": 403,
        "headers": {
          "Content-Type": [
            "text/html; charset=UTF-8"
          ]
        },
        "entity": "<html><p>Administrative access denied</p></html>"
      }
    }
  }
}

Default: 0.0.0.0 (listen on all network interfaces)

tls: ServerTlsOptions reference, optional

Configure options for connections to TLS-protected endpoints based on ServerTlsOptions. Define the object inline or in the heap.

Default: Connections to TLS-protected endpoints are not configured.

vertx: object, optional

Vert.x-specific configuration for administrative connections. Vert.x options are described in HttpServerOptions.

For properties where PingGateway provides its own first-class configuration the PingGateway configuration option takes precedence over Vert.x options configured in vertx. Vert.x values are evaluated as configuration expressions.

The following Vert.x configuration options are disallowed server-side:

  • port

  • useAlpn

  • ssl

  • enabledCipherSuites

  • enabledSecureTransportProtocols

  • jdkSslEngineOptions

  • keyStoreOptions

  • openSslEngineOptions

  • pemKeyCertOptions

  • pemTrustOptions

  • pfxKeyCertOptions

  • pfxTrustOptions

  • trustStoreOptions

  • clientAuth

The following Vert.x configuration options are deprecated server-side:

  • maxHeaderSize

  • initialSettings:maxHeaderListSize

  • host

Use adminConnector:maxTotalHeadersSize instead of vertx.maxHeaderSize or vertx.initialSettings.maxHeaderListSize.

maxTotalHeadersSize: integer, optional

The maximum size in bytes for the sum of all request headers. When the request headers exceed this limit, PingGateway returns an HTTP 431 error.

Default: 8 192 bytes

The following example requires administrative connections over HTTPS on port 9443 from the same computer (localhost):

{
    "adminConnector": {
        "host": "localhost",
        "port": 9443,
        "tls": "ServerTlsOptions-1"
    }
}
"connectors": array of objects, required

Server port configuration, when PingGateway is acting server-side.

When an application sends requests to PingGateway or requests services from PingGateway, PingGateway is server-side. PingGateway is acting as a server of the application, and the application is acting as a client.
{
  "connectors" : [
    {
      "port": [ configuration expression<number>, ... ],
      "host": configuration expression<string>,
      "tls": ServerTlsOptions reference,
      "vertx": object,
      "maxTotalHeadersSize": configuration expression<integer>
    },
    {
      ...
    }
  ]
}
port: array of configuration expression<numbers>, required

One or more ports on which PingGateway is connected. When more than one port is defined, PingGateway is connected to each port.

host: configuration expression<string>, optional

The hostname where PingGateway listens for administrative connections.

Default: 0.0.0.0 (listen on all network interfaces)

tls: ServerTlsOptions reference, optional

Configure options for connections to TLS-protected endpoints, based on ServerTlsOptions. Define the object inline or in the heap.

Default: Connections to TLS-protected endpoints are not configured.

vertx: object, optional

Vert.x-specific configuration for this connector when PingGateway is acting server-side. When PingGateway is acting client-side, configure the vertx property of ClientHandler or ReverseProxyHandler.

Vert.x options are described in HttpServerOptions.

For properties where PingGateway provides its own first-class configuration Vert.x configuration options are disallowed, and the PingGateway configuration option takes precedence over Vert.x options configured in vertx. Vert.x values are evaluated as configuration expressions.

The following Vert.x configuration options are disallowed server-side:

  • port

  • useAlpn

  • ssl

  • enabledCipherSuites

  • enabledSecureTransportProtocols

  • jdkSslEngineOptions

  • keyStoreOptions

  • openSslEngineOptions

  • pemKeyCertOptions

  • pemTrustOptions

  • pfxKeyCertOptions

  • pfxTrustOptions

  • trustStoreOptions

  • clientAuth

The following Vert.x configuration options are deprecated server-side:

  • maxHeaderSize

  • initialSettings:maxHeaderListSize

  • host

Use connectors:maxTotalHeadersSize instead of vertx.maxHeaderSize or vertx.initialSettings.maxHeaderListSize.

The following example configures connectors on ports 8080 and 8443 when PingGateway is acting server-side. When PingGateway is acting client-side, configure the vertx property of ClientHandler or ReverseProxyHandler:

{
  "connectors": [{
    "port": 8080,
    "vertx": {
      "maxWebSocketFrameSize": 128000,
      "maxWebSocketMessageSize": 256000,
      "compressionLevel": 4
    }
  },
  {
    "port": 8443,
    "tls": "ServerTlsOptions-1"
  }]
}
maxTotalHeadersSize: integer, optional

The maximum size in bytes of the sum of all request headers. When the request headers exceed this limit, PingGateway returns an HTTP 431 error.

Default: 8 192 bytes

The following example configures HTTP/2 connections on port 7070 when PingGateway is acting server-side. The configuration allows PingGateway to accept HTTP/2 requests with large headers. When PingGateway is acting client-side, configure the vertx property of ClientHandler or ReverseProxyHandler:

{
  "connectors": [
    {
      "port": 7070,
      "maxTotalHeadersSize": 16384
    }
  ]
}
vertx: object, optional

Vert.x-specific configuration used to more finely-tune Vert.x instances. Vert.x values are evaluated as configuration expressions.

Use the Vert.x options described in VertxOptions, with the following exceptions:

  • metricsOptions: Not used

  • metricsEnabled: Enable Vertx metrics. Default: true.

For an example, refer to Monitoring Services.

PingGateway proxies all WebSocket subprotocols by default. To proxy specific WebSocket subprotocols only, list them as follows:

"vertx": {
  "webSocketSubProtocols": ["v1.notifications.forgerock.org", ... ]
}
"gatewayUnits": configuration expression<number>, optional

The number of parallel instances of PingGateway to bind to an event loop. All instances listen on the same ports.

Default: The number of cores available to the JVM.

mode: configuration expression<enumeration>, optional

Set the PingGateway mode to development or production. The value is not case-sensitive.

If mode is not set, the provided configuration token ig.run.mode can be resolved at startup to define the run mode.

For more information, refer to Operating modes.

Default: production

"prefix": configuration expression<string>, optional

The base of the route for administration requests. This route and its subroutes are reserved for administration endpoints.

This property is deprecated. Define an "adminConnector" instead.

Default: openig

"properties": object, optional

Configuration parameters declared as property variables for use in the configuration. See also Route properties.

Default: Null

"temporaryDirectory": configuration expression<string>, optional

Directory containing temporary storage files.

Set this property to store temporary files in a different directory, for example:

{
   "temporaryDirectory": "/path/to/my-temporary-directory"
}

Default: $HOME/.openig/tmp (on Windows, %appdata%\OpenIG\OpenIG\tmp)

"temporaryStorage": TemporaryStorage reference, optional

The TemporaryStorage object to buffer content during processing.

Provide the name of a TemporaryStorage object defined in the heap or an inline TemporaryStorage configuration object.

Incoming requests use the temporary storage buffer as follows:

  • Used only when streamingEnabled is false.

  • The request is loaded into the PingGateway storage defined in temporaryStorage, before it enters the chain.

  • If the content length of the request is more than the buffer limit, PingGateway returns an HTTP 413 Payload Too Large.

Default: Use the heap object named TemporaryStorage. Otherwise, use an internally-created TemporaryStorage object named TemporaryStorage that uses default settings for a TemporaryStorage object.

"pidFileMode": configuration expression<enumeration>, optional

Mode to allow or disallow startup if there is an existing PID file. Use one of the following values:

  • fail: Startup fails if there is an existing PID file.

  • override: Startup is allowed if there is an existing PID file. PingGateway removes the existing PID file and creates a new one during startup.

Default: fail

"preserveOriginalQueryString": configuration expression<boolean>, optional

Process query strings in URLs, by applying or not applying a decode/encode process to the whole query string.

The following characters are disallowed in query string URL components: ", {, }, <, >, (space), and |. For more information about which query strings characters require encoding, refer to Uniform Resource Identifier (URI): Generic Syntax.

  • true: Preserve query strings as they are presented.

    Select this option if the query string must not change during processing, for example, in signature verification.

    If a query string contains a disallowed character, the request produces a 400 Bad Request.

  • false: Tolerate disallowed characters in query string URL components, by applying a decode/encode process to the whole query string.

    Select this option when a user agent or client produces query searches with disallowed characters. PingGateway transparently encodes the disallowed characters before forwarding requests to the protected application.

    Characters in query strings are transformed as follows:

    • Allowed characters are not changed. For example, sep=a is not changed.

    • Percent-encoded values are re-encoded when the decoded value is an allowed character. For example, sep=%27 is changed to sep=', because ' is an allowed character.

    • Percent-encoded values are not changed when the decoded value is a disallowed character. For example, sep=%22 is not changed, because " is a disallowed character.

    • Disallowed characters are encoded. For example, sep=", is changed to sep=%22, because " is a disallowed character.

Default: false

"session": object, optional

Configures stateful sessions for PingGateway. For information about PingGateway sessions, refer to Sessions.

{
  "session": {
    "cookie": {
      "name": configuration expression<string>,
      "httpOnly": configuration expression<boolean>,
      "path": configuration expression<string>,
      "sameSite": configuration expression<enumeration>,
      "secure": configuration expression<boolean>,
    },
    "timeout": configuration expression<duration>
  }
}
"cookie": object, optional

The configuration of the cookie used to store the stateful session.

Default: The session cookie is treated as a host-based cookie.

"name": configuration expression<string>, optional

The session cookie name.

Default: IG_SESSIONID

"httpOnly": configuration expression<boolean>, optional

Flag to mitigate the risk of client-side scripts accessing protected session cookies.

Default: true

"path": configuration expression<string>, optional

The path protected by the session.

Set a path only if the user agent is able to re-emit session cookies on the path. For example, to re-emit a session cookie on the path /home/cdsso, the user agent must be able to access that path on its next hop.

Default: /.

"sameSite": configuration expression<enumeration>, optional

Options to manage the circumstance in which the session cookie is sent to the server. The following values are listed in order of strictness, with most strict first:

  • STRICT: Send the session cookie only if the request was initiated from the session cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.

  • LAX: Send the session cookie only with GET requests in a first-party context, where the URL in the address bar matches the session cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.

  • NONE: Send the session cookie whenever a request is made to the session cookie domain. With this setting, consider setting secure to true to prevent browsers from rejecting the session cookie. For more information, refer to SameSite cookies

Default: LAX

For CDSSO, set "sameSite":"none" and "secure":"true". For security reasons, many browsers require the connection used by the browser to be secure (HTTPS) for "sameSite":"none". Therefore, if the connection used by the browser is not secure (HTTP), the browser might not supply cookies with "sameSite":"none". For more information, refer to Cross-domain single sign-on (CDSSO).
"secure": configuration expression<boolean>, optional

Flag to limit the scope of the session cookie to secure channels.

Set this flag only if the user agent is able to re-emit session cookies over HTTPS on its next hop. For example, to re-emit a session cookie with the secure flag, the user agent must be connected to its next hop by HTTPS.

Default: false

For CDSSO, set "sameSite":"none" and "secure":"true". For security reasons, many browsers require the connection used by the browser to be secure (HTTPS) for "sameSite":"none". Therefore, if the connection used by the browser is not secure (HTTP), the browser might not supply cookies with "sameSite":"none". For more information, refer to Cross-domain single sign-on (CDSSO).
"timeout": configuration expression<duration>, optional

The duration after which idle sessions are automatically timed out.

The value must be above zero, and no greater than 3650 days (approximately 10 years). PingGateway truncates the duration of longer values to 3650 days.

Default: 30 minutes

"streamingEnabled": configuration expression<boolean>, optional

A flag to manage content:

  • true: PingGateway streams the content of HTTP requests and responses. The content is available for processing bit-by-bit, as soon as it is received.

  • false: PingGateway buffers the content of HTTP requests and responses into the storage defined in temporaryStorage. The content is available for processing only after it has all been received.

When this property is true, consider the following requirements to prevent PingGateway from blocking an executing thread to wait for streamed content:

  • Write runtime expressions that consume streamed content with # instead of $. For more information, refer to runtime expression.

  • In scripts and Java extensions, never use a Promise blocking method, such as get(), getOrThrow(), or getOrThrowUninterruptibly() to obtain the response. For more information, refer to Scripts.

When streamingEnabled=true and a CaptureDecorator with captureEntity=true decorates a component, the decorator interrupts streaming for the captured request or response until the whole entity is captured.

Default: false

"serveDeprecatedPrometheusEndpoint": configuration expression<boolean>, optional

A flag to enable or disable the deprecated Prometheus metrics endpoint:

  • false: Disable the deprecated Prometheus Scrape Endpoint

  • true: Enable the deprecated Prometheus Scrape Endpoint

Default: true

"openTelemetry": object, optional

Configure how to push traces to an OpenTelemetry service. When you use it with other applications with OpenTelemetry support, the service helps you analyze the flows through PingGateway and the other applications to understand performance and system behavior.

This capability is available in Technology preview. It isn’t yet supported, may be functionally incomplete, and is subject to change without notice.

PingGateway can push traces to an OpenTelemetry Protocol (OTLP) endpoint over HTTP where you collect and analyze system trace data. By default, this optional feature is disabled. To push traces to an OpenTelemetry service, you must at least enable it and set the decoration "tracing": true on routes or objects of interest to enable additional traces.

The trace data and span content has Evolving interface stability. It is subject to change without notice, even in a minor or maintenance release.

The following configuration enables PingGateway to push traces to http://localhost:4318/v1/traces:

{
    "openTelemetry": {
        "tracing": {
            "enabled": true
        }
    }
}

OpenTelemetry support has the following "tracing" object settings:

{
    "tracing": {
        "enabled": configuration expression<boolean>,
        "resourceAttributes": object,
        "exporter": object,
        "sampler": object,
        "spanLimits": object
    }
}
"enabled": configuration expression<boolean>, optional

Set to true to enable OpenTelemetry tracing.

Default: false

"resourceAttributes": object, optional

A map of additional resource attributes for processing traces. Learn more in the OpenTelemetry documentation about Semantic Attributes with SDK-provided Default Value.

For example, if there are multiple PingGateway instances in a deployment, set the "service.instance.id" resource attribute differently for each one to distinguish between them:

{
    "resourceAttributes": {
        "service.instance.id": "gateway1"
    }
}
"exporter": object, optional

Configuration for the exporter, which pushes traces to the OpenTelemetry service.

{
    "exporter": {
        "type": "otlp",
        "config": object,
        "batch": object
    }
}
"type": configuration expression<string>, optional

Set to otlp for OpenTelemetry Protocol (OTLP) support, the only supported protocol at this time.

Default: otlp

"config": object, optional

Endpoint and timeout configuration:

{
    "config": {
        "endpoint": configuration expression<string>,
        "connectionTimeout": configuration expression<duration>,
        "timeout": configuration expression<duration>
    }
}
  • "endpoint": configuration expression<string>, optional: The endpoint to publish traces to; default: http://localhost:4318/v1/traces

    For HTTPS, PingGateway trusts the default JVM CAs. To override this, set the -Djavax.net.ssl.trustStore and associated JVM settings when starting PingGateway. Learn more about the optional settings in the Java Secure Socket Extension (JSSE) Reference Guide.

    PingGateway doesn’t support TLS configuration for the tracing endpoint at this time.

  • "connectionTimeout": configuration expression<duration>, optional: Time out a connection to the endpoint after this duration; default: 10 seconds.

  • "timeout": configuration expression<duration>, optional: Time out a request to publish data to the endpoint after this duration; default: 10 seconds.

"batch": object, optional

Enable and configure batch processing for trace data:

{
    "batch": {
        "enabled": configuration expression<boolean>,
        "scheduleDelay": configuration expression<duration>,
        "maxQueueSize": configuration expression<number>,
        "maxBatchSize": configuration expression<number>,
        "timeout": configuration expression<duration>,
        "exportUnsampledSpans": configuration expression<boolean>
    }
}
  • "enabled": configuration expression<boolean>, optional: Leave batch processing enabled in deployment; default: true.

  • "scheduleDelay": configuration expression<duration>, optional: Maximum interval between sending batches of trace data; default: 50 seconds.

  • "maxQueueSize": configuration expression<number>, optional: Maximum number of spans to queue before dropping them; default: 1024.

  • "maxBatchSize": configuration expression<number>, optional: Maximum number of spans in a batch; default: 256.

  • "timeout": configuration expression<duration>, optional: Time out a data exporter after this duration; default: 10 seconds.

  • "exportUnsampledSpans": configuration expression<boolean>, optional: Whether to report on unsampled spans; default: false.

"sampler": object, optional

Configuration for sampling spans:

{
    "sampler": {
        "type": configuration expression<string>,
        "ratio": configuration expression<number>
    }
}
"type": configuration expression<string>, optional

The sampler strategy to use; one of:

  • "alwaysOn": Send every span for processing. (Default)

  • "alwaysOff": Never send any span for processing.

  • "ratio": Sample the specified ratio of spans, deterministically based on the trace IDs of the spans.

  • "parentBasedAlwaysOn": Always send the span for processing if the parent span was sampled.

  • "parentBasedAlwaysOff": Never send the span for processing if the parent span was sampled.

  • "parentBasedRatio": Send the specified ratio of spans for processing if the parent span was sampled.

"ratio": configuration expression<number>, optional

For ratio-based types, a percentage of spans to process.

Default: 50 (percent)

"spanLimits": object, optional

Configuration for limits enforced when recording spans:

{
    "spanLimits": {
        "maxNumberOfAttributesPerEvent": configuration expression<number>,
        "maxAttributeValueLength": configuration expression<number>,
        "maxNumberOfAttributes": configuration expression<number>,
        "maxNumberOfLinks": configuration expression<number>,
        "maxNumberOfEvents": configuration expression<number>,
        "maxNumberOfAttributesPerLink": configuration expression<number>
    }
}
"maxNumberOfAttributesPerEvent": configuration expression<number>, optional

The maximum number of metadata items (attributes) attached to a span per event. An event is an annotation to span at a particular, meaningful point in time during the span’s duration.

Default: 256

"maxAttributeValueLength": configuration expression<number>, optional

The maximum number of characters in a string attribute value.

Default: 256

"maxNumberOfAttributes": configuration expression<number>, optional

The maximum number of attributes per span.

Default: 256

"maxNumberOfLinks": configuration expression<number>, optional

The maximum number of links per span. Links associate the current span with one or more other spans.

Default: 256

"maxNumberOfEvents": configuration expression<number>, optional

The maximum number of events per span.

Default: 256

"maxNumberOfAttributesPerLink": configuration expression<number>, optional

The maximum number of attributes per link.

Default: 256

Example configuration files

Default configuration

When your configuration does not include an admin.json file, the following admin.json is provided by default:

{
  "connectors": [
    { "port" : 8080 }
  ]
}

Overriding the default ApiProtectionFilter

The following example shows an admin.json file configured to override the default ApiProtectionFilter that protects the reserved administrative route. This example is used in Set up the UMA example.

{
  "connectors": [
    { "port" : 8080 }
  ],
  "heap": [
    {
      "name": "ClientHandler",
      "type": "ClientHandler"
    },
    {
      "name": "ApiProtectionFilter",
      "type": "CorsFilter",
      "config": {
        "policies": [
          {
            "acceptedOrigins": [ "http://app.example.com:8081" ],
            "acceptedMethods": [ "GET", "POST", "DELETE" ],
            "acceptedHeaders": [ "Content-Type" ]
          }
        ]
      }
    }
  ]
}