{ "name": "protect-am", "comment": "Allow authentication and subrealm access only (not the top-level realm or admin UI)", "properties": { "amBase": "/am", "amInstanceUrl": "http://am.example.com:8088/am", "subrealm": "customers" }, "baseURI": "&{amInstanceUrl}", "condition": "${find(request.uri.path, '^&{amBase}')}", "handler": { "type": "Chain", "config": { "filters": [ { "type": "AllowOnlyFilter", "config": { "rules": [ { "comment": "Allow authentication to the subrealm", "destination": [ { "paths": [ "&{amBase}/json/realms/root/realms/&{subrealm}/authenticate" ], "when": "${find(request.queryParams, 'realm') and !(contains(request.queryParams['realm'], '/') or contains(request.queryParams['realm'], '2F') or contains(request.queryParams['authIndexValue'], 'Application') or contains(request.queryParams['module'], 'Application'))}" } ] }, { "comment": "Allow authentication to the legacy UI", "destination": [ { "paths": [ "&{amBase}/UI/Login" ], "when": "${find(request.queryParams, 'realm') and !(contains(request.queryParams['realm'], '/') or contains(request.queryParams['realm'], '2F') or contains(request.queryParams['authIndexValue'], 'Application') or contains(request.queryParams['module'], 'Application'))}" } ] }, { "comment": "Allow OAuth 2.0 and OID to the subrealm", "destination": [ { "paths": [ "&{amBase}/oauth2/realms/root/realms/&{subrealm}/authorize", "&{amBase}/oauth2/realms/root/realms/&{subrealm}/access_token", "&{amBase}/oauth2/realms/root/realms/&{subrealm}/userinfo", "&{amBase}/oauth2/realms/root/realms/&{subrealm}/connect/endSession" ] } ] }, { "comment": "Allow base requests for sessions and users", "destination": [ { "paths": [ "&{amBase}/json/sessions", "&{amBase}/json/users" ] } ] }, { "comment": "Allow base action requests for sessions", "destination": [ { "paths": [ "&{amBase}/json/realms/root/sessions" ] } ], "when": "${(request.queryParams['_action'] == 'getMaxIdle') or (request.queryParams['_action'] == 'logout') or (request.queryParams['_action'] == 'validate')}" }, { "comment": "Allow base action requests for users", "destination": [ { "paths": [ "&{amBase}/json/realms/root/users" ] } ], "when": "${request.queryParams['_action'] == 'idFromSession'}" }, { "comment": "Allow subrealm requests for sessions, serverinfo, and users", "destination": [ { "paths": [ "&{amBase}/json/realms/root/realms/&{subrealm}/sessions", "&{amBase}/json/realms/root/realms/&{subrealm}/serverinfo/*", "^&{amBase}/json/realms/root/realms/&{subrealm}/users" ] } ] }, { "comment": "Allow access to the XUI", "destination": [ { "paths": [ "^&{amBase}/XUI" ] } ] }, { "comment": "Allow access to the legacy UI for logout", "destination": [ { "paths": [ "&{amBase}/UI/Logout" ] } ] }, { "comment": "Allow SAML v2.0 requests", "destination": [ { "paths": [ "^&{amBase}/ArtifactResolver/", "^&{amBase}/Consumer/", "^&{amBase}/IDPSloPOST/", "^&{amBase}/IDPSloRedirect/", "^&{amBase}/IDPSloSoap/", "^&{amBase}/SSORedirect/", "^&{amBase}/idpsaehandler/", "^&{amBase}/saml2/jsp/" ] } ] } ], "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 404, "headers": { "Content-Type": [ "text/html; charset=UTF-8" ] }, "entity": "

HTTP 404 Not Found

" } } } } ], "handler": "ReverseProxyHandler" } } }