---
title: PasswordReplayFilter
description: Replays credentials to a login page or to the next filter or handler in the chain. The PasswordReplayFilter doesn't retry failed authentication attempts.
component: pinggateway
version: 2026
page_id: pinggateway:reference:PasswordReplayFilter
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/PasswordReplayFilter.html
revdate: 2025-06-02T18:01:47Z
section_ids:
  PasswordReplayFilter-usage: Usage
  PasswordReplayFilter-properties: Properties
  PasswordReplayFilter-example: Example
  PasswordReplayFilter-moreinfo: More information
---

# PasswordReplayFilter

Replays credentials to a login page or to the next filter or handler in the chain. The PasswordReplayFilter doesn't retry failed authentication attempts.

## Usage

```json
{
  "name": string,
  "type": "PasswordReplayFilter",
  "config": {
    "request": object,
    "loginPage": runtime expression<boolean>,
    "loginPageContentMarker": pattern,
    "credentials": Filter reference,
    "loginPageExtractions": [ object, ... ]
  }
}
```

## Properties

* `"request"`: *<[object](preface.html#definition-object)>, required*

  The HTTP request message that replays the credentials.

  ```json
  {
    "request": object,
      "method": config expression<string>,
      "uri": runtime expression<string>,
      "version": configuration expression<string>,
      "entity": runtime expression<string>,
      "headers": map,
      "form": map
  }
  ```

  For information about the properties of `request`, refer to [Request](Request.html).

  The JSON object of `request` is the `config` content of a [StaticRequestFilter](StaticRequestFilter.html).

* `"loginPage"`: *runtime expression<[boolean](preface.html#definition-boolean)>, required unless `loginPageContentMarker` is defined*

  `true`: Direct the request to a login page, extract credentials, and replay them.

  `false`: Pass the request unchanged to the next filter or handler in the chain.

  The following example expression resolves to `true` when the request is an HTTP GET, and the request URI path is `/login`:

  ```none
  ${find(request.uri.path, '/login') and (request.method == 'GET')}
  ```

* `"loginPageContentMarker"`: *[pattern](preface.html#definition-pattern), required unless `loginPage` is defined*

  A [Patterns and PingGateway](Patterns.html) that matches when a response entity is a login page.

  You can find an example route that uses this property in [Login form with password replay and cookie filters](../configure/templates.html#template-login-replay-cookie-filters).

* `"credentials"`: *Filter [reference](preface.html#definition-reference), optional*

  [Filter](Filters.html), such as a [FileAttributesFilter](FileAttributesFilter.html) or [SqlAttributesFilter](SqlAttributesFilter.html), that injects credentials, making them available for replay.

  When this isn't specified, credentials must be made available to the request by other means.

* `"loginPageExtractions"`: *array of <[objects](preface.html#definition-object)>, optional*

  Objects to extract values from the login page entity.

  ```json
  {
    "loginPageExtractions": [
      {
        "name": string,
        "pattern": pattern
      },
      ...
    ]
  }
  ```

  The extract configuration array is a series of configuration objects. To extract multiple values, use multiple extract configuration objects. Each object has the following fields:

  * `"name"`: *[string](preface.html#definition-string), required*

    Name of the field where the extracted value is put.

    The names are mapped into `attributes.extracted`.

    For example, if the name is `nonce`, the value can be obtained with the expression `${attributes.extracted.nonce}`.

    The name `isLoginPage` is reserved to hold a boolean that indicates whether the response entity is a login page.

  * `"pattern"`: *[pattern](preface.html#definition-pattern), required*

    The regular expression pattern to find in the entity.

    The pattern must contain one capturing group. (If it contains more than one, only the value matching the first group is placed into `attributes.extracted`.)

    For example, suppose the login page entity contains a nonce required to authenticate, and the nonce in the page looks like `nonce='n-0S6_WzA2Mj'`. To extract `n-0S6_WzA2Mj`, set `"pattern": " nonce='(.*)'"`.

## Example

The following example authenticates requests using static credentials when the request URI path is `/login`. This PasswordReplayFilter example doesn't include any mechanism for remembering when authentication has already been successful, it simply replays the authentication every time that the request URI path is `/login`:

```json
{
  "handler": {
    "type": "Chain",
    "config": {
      "filters": [{
        "type": "PasswordReplayFilter",
        "config": {
          "loginPage": "${request.uri.path == '/login'}",
          "request": {
            "method": "POST",
            "uri": "https://www.example.com:8444/login",
            "form": {
              "username": [
                "MY_USERNAME"
              ],
              "password": [
                "MY_PASSWORD"
              ]
            }
          }
        }
      }],
      "handler": "ReverseProxyHandler"
    }
  }
}
```

Additional examples:

* [Password replay and PingOne Advanced Identity Cloud](../aic/password-replay.html) with PingOne Advanced Identity Cloud

* [Password replay with AM](../gateway-guide/credentials-am.html)

* [Password replay from a database](../gateway-guide/credentials-database.html)

* [Password replay from a file](../gateway-guide/credentials-file.html)

## More information

[org.forgerock.openig.filter.PasswordReplayFilterHeaplet](../_attachments/apidocs/org/forgerock/openig/filter/PasswordReplayFilterHeaplet.html)