--- title: Password replay from a file description: The following figure illustrates the flow of requests when PingGateway uses credentials in a file to log a user in to the sample application: component: pinggateway version: 2026 page_id: pinggateway:gateway-guide:credentials-file canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/credentials-file.html revdate: 2025-10-15T18:45:22Z --- # Password replay from a file The following figure illustrates the flow of requests when PingGateway uses credentials in a file to log a user in to the sample application: ![login-from-file](https://kroki.io/plantuml/svg/eNqFksGO0zAQhs_4KUY5sKe2sAeQelipVHSLhESULZy4uMkksUg9Zuw0zSPxGjwZ49TL0grYU5LJ9_8e_zNqcaNgTW5k07QBfv6A21ev38JMHrdvIDe2gQ8V2mDCKBg7Yh0MWaVg1xoPJVUI8gwEe4TeYwV4KrvemyN2IxgrhLVYRg0MJrT_sQRPdRg0IxCDRz6aEv1c_VsBZOUMqmtkD74v2786xN46bHQHk4NBr2BoCVp9xFhClqaNFUrD3tgqntaJ0HoE3TDiQaBnep-rm4VSug9k-8MeWSmnOZjSOC3a7B3TIO1koD2k90vgs1Rq0-FEbORF7ekEWTzvXgcc9JipFxeKXHs_EFcFuk6PIgnJPy82V2j0W4XAZt8H9H-gm9U1WuBRssSc6TRuta26RBb5VqGtQLq6utrKOQlrCmEi5VupdMfZnTSzhO1ul8P9-x0wfu_RBxnIV7twTPHGiwaJG1RCJnxNtjZ8gI4aWR-nm2nBotbIpM6gdL6E4myn5EMq4rWEj0TfoHdQChmnpDsfdzDL-hTwPJxClqlIz5LN-olNVrH6EEjW6MontBj3OeApnTo1XKBkK8Fd0DXT4YKf-pYcIy8jK_F3HNNqTSHlnx52ss_p6jXxQYlidiehRpkM-lGkpJTsvujOVLIkSfVSFl8mxegdyQqfDdJAnkzSz1_flWGd?id=figure-login-from-file) * PingGateway intercepts the browser's HTTP GET request, which matches the route condition. * The PasswordReplayFilter confirms that a login page is required, and * The FileAttributesFilter uses the email address to look up the user credentials in a file, and stores the credentials in the request context attributes map. * The PasswordReplayFilter retrieves the credentials from the attributes map, builds the login form, and performs the HTTP POST request to the sample app. * The sample application validates the credentials, and responds with a profile page. * The ReverseProxyHandler passes the response to the browser. Before you start, prepare PingGateway and the sample application as described in the [Getting started with PingGateway](../getting-started/preface.html). 1. On your system, add the following data in a comma-separated value file: * Linux `/tmp/userfile.txt` * Windows `C:\Temp\userfile.txt` ```csv username,password,fullname,email george,C0stanza,George Costanza,george@example.com kramer,N3wman12,Kramer,kramer@example.com bjensen,H1falutin,Babs Jensen,bjensen@example.com demo,Ch4ng31t,Demo User,demo@example.com kvaughan,B5ibery12,Kirsten Vaughan,kvaughan@example.com scarter,S9rain12,Sam Carter,scarter@example.com wolkig,Geh3imnis!,Wilhelm Wolkig,wolkig@example.com ``` Source: [userfile.txt](../_attachments/others/userfile.txt) 2. Set up PingGateway: 1. Set up PingGateway for HTTPS, as described in [Configure PingGateway for TLS (server-side)](../installation-guide/securing-connections.html#server-side-tls). 2. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 3. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/02-file.json` * Windows `%appdata%\OpenIG\config\routes\02-file.json` ```json { "name": "02-file", "condition": "${find(request.uri.path, '^/profile')}", "capture": "all", "handler": { "type": "Chain", "baseURI": "https://app.example.com:8444", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPage": "${find(request.uri.path, '^/profile/george') and (request.method == 'GET')}", "credentials": { "type": "FileAttributesFilter", "config": { "file": "/tmp/userfile.txt", "key": "email", "value": "george@example.com" } }, "request": { "method": "POST", "uri": "https://app.example.com:8444/login", "form": { "username": [ "${contexts.fileAttributes.record.username}" ], "password": [ "${contexts.fileAttributes.record.password}" ] } } } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [02-file.json](../_attachments/config/routes/02-file.json) Notice the following features of the route: * The route matches requests to `/profile`. * The `PasswordReplayFilter` specifies a `loginPage` page property: * When a request is an HTTP GET, and the request URI path is `/profile/george`, the expression resolves to `true`. The request is directed to a login page. The `FileAttributesFilter` looks up the key and value in `/tmp/userfile.txt`, and stores them in the context. The `request` object retrieves the username and password from the context, and replaces the browser's original HTTP GET request with an HTTP POST login request, containing the credentials to authenticate. * For other requests, the expression resolves to `false`. The request passes to the ReverseProxyHandler, which directs it to the profile page of the sample app. 3. Test the setup: 1. In your browser's privacy or incognito mode, go to and accept the server certificate. Because the property `loginPage` resolves to `true`, the PasswordReplayFilter processes the request to obtain the login credentials. The sample app returns the profile page for George. 2. Go to or to any other URI starting with `https://ig.example.com:8443/profile`. Because the property `loginPage` resolves to `false`, the PasswordReplayFilter passes the request directly to the ReverseProxyHandler. The sample app returns the login page.