--- title: Not-enforced URIs description: By default, PingGateway routes protect access to resources for all requests matching the route's condition path. For assets that don't need protection, like the welcome page of a website, public images, and favicons, you can avoid enforcing protection. component: pinggateway version: 2026 page_id: pinggateway:gateway-guide:not-enforced-uri canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/not-enforced-uri.html revdate: 2025-10-15T18:45:22Z keywords: ["Configuration", "Authentication", "URI"] section_ids: not-enforced-uri-switch: With a SwitchFilter not-enforced-uri-dispatch: With a DispatchHandler --- # Not-enforced URIs By default, PingGateway routes protect access to resources for all requests matching the route's condition path. For assets that don't need protection, like the welcome page of a website, public images, and favicons, you can avoid enforcing protection. The following sections show routes that don't enforce authentication for some request URLs or URL patterns. ## With a SwitchFilter Before you start: * Prepare PingGateway and the sample app as described in [Getting started with PingGateway](../getting-started/preface.html). * Install and configure AM on using the default configuration. 1. On your system, add the following data in a comma-separated value file: * Linux `/tmp/userfile.txt` * Windows `C:\Temp\userfile.txt` ```csv username,password,fullname,email george,C0stanza,George Costanza,george@example.com kramer,N3wman12,Kramer,kramer@example.com bjensen,H1falutin,Babs Jensen,bjensen@example.com demo,Ch4ng31t,Demo User,demo@example.com kvaughan,B5ibery12,Kirsten Vaughan,kvaughan@example.com scarter,S9rain12,Sam Carter,scarter@example.com wolkig,Geh3imnis!,Wilhelm Wolkig,wolkig@example.com ``` Source: [userfile.txt](../_attachments/others/userfile.txt) 2. Set up AM: 1. Select Services > Add a Service and add a Validation Service with the following Valid goto URL Resources: * `https://ig.example.com:8443/*` * `https://ig.example.com:8443/*?*` 2. Register a PingGateway agent with the following values, as described in [Register a PingGateway agent in AM](preface.html#register-agent-am): * Agent ID: `ig_agent` * Password: `password` | | | | - | ----------------------------------------------------------------------------------------------------------------- | | | Use secure passwords in a production environment. Consider using a password manager to generate secure passwords. | 3. Set up PingGateway: 1. Set an environment variable for the PingGateway agent password, and then restart PingGateway: ```console $ export AGENT_SECRET_ID='cGFzc3dvcmQ=' ``` The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded. 2. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 3. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/not-enforced-switch.json` * Windows `%appdata%\OpenIG\config\routes\not-enforced-switch.json` ```json { "properties": { "notEnforcedPathPatterns": "^/home|^/favicon.ico|^/css" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://am.example.com:8088/openam/" } } ], "name": "not-enforced-switch", "condition": "${find(request.uri.path, '^/')}", "baseURI": "https://app.example.com:8444", "handler": { "type": "Chain", "config": { "filters": [ { "name": "SwitchFilter-1", "type": "SwitchFilter", "config": { "onRequest": [{ "condition": "${find(request.uri.path, '&{notEnforcedPathPatterns}')}", "handler": "ReverseProxyHandler" }] } }, { "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "type": "PasswordReplayFilter", "config": { "loginPage": "${true}", "credentials": { "type": "FileAttributesFilter", "config": { "file": "/tmp/userfile.txt", "key": "email", "value": "${contexts.ssoToken.info.uid}@example.com" } }, "request": { "method": "POST", "uri": "https://app.example.com:8444/login", "form": { "username": [ "${contexts.fileAttributes.record.username}" ], "password": [ "${contexts.fileAttributes.record.password}" ] } } } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [not-enforced-switch.json](../_attachments/config/routes/not-enforced-switch.json) Notice the following features of the route: * The route condition is `/`, so the route matches all requests. * The SwitchFilter passes requests on the path `^/home`, `^/favicon.ico`, and `^/css` directly to the ReverseProxyHandler. All other requests continue along the chain to the SingleSignOnFilter. * If the request doesn't have a valid AM session cookie, the SingleSignOnFilter redirects the request to AM for authentication. The SingleSignOnFilter stores the cookie value in an `SsoTokenContext`. * Because the PasswordReplayFilter detects that the response is a login page, it uses the FileAttributesFilter to replay the password, and logs the request into the sample application. 4. Test the setup: 1. If you are signed in to AM, sign off and clear any cookies. 2. Access the route on the not-enforced URL . The home page of the sample app is displayed without authentication. 3. Access the route on the enforced URL . The SingleSignOnFilter redirects the request to AM for authentication. 4. Sign on to AM as user `demo`, password `Ch4ng31t`. The PasswordReplayFilter replays the credentials for the demo user. The request is passed to the sample app's profile page for the demo user. ## With a DispatchHandler To use a DispatchHandler for not-enforced URIs, replace the route in [With a SwitchFilter](#not-enforced-uri-switch) with the following route. If the request is on the path `^/home`, `^/favicon.ico`, or `^/css`, the DispatchHandler sends it directly to the ReverseProxyHandler, without authentication. It passes all other requests into the Chain for authentication. ```json { "properties": { "notEnforcedPathPatterns": "^/home|^/favicon.ico|^/css" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://am.example.com:8088/openam/" } } ], "name": "not-enforced-dispatch", "condition": "${find(request.uri.path, '^/')}", "baseURI": "https://app.example.com:8444", "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${find(request.uri.path, '&{notEnforcedPathPatterns}')}", "handler": "ReverseProxyHandler" }, { "handler": { "type": "Chain", "config": { "filters": [ { "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "type": "PasswordReplayFilter", "config": { "loginPage": "${true}", "credentials": { "type": "FileAttributesFilter", "config": { "file": "/tmp/userfile.txt", "key": "email", "value": "${contexts.ssoToken.info.uid}@example.com" } }, "request": { "method": "POST", "uri": "https://app.example.com:8444/login", "form": { "username": [ "${contexts.fileAttributes.record.username}" ], "password": [ "${contexts.fileAttributes.record.password}" ] } } } } ], "handler": "ReverseProxyHandler" } } } ] } } } ``` Source: [not-enforced-dispatch.json](../_attachments/config/routes/not-enforced-dispatch.json)