Limitations
Limitations are inherent to the design, not bugs to be fixed.
Audit events
-
The log file of audit events can be overwritten when the log file is rotated.
When a
CsvAuditEventHandleris used to log audit events, PingGateway overwrites the log file if it is rotated before therotationFileSuffixchanges. By default,rotationFileSuffixis defined as a date in_yyyy-MM-ddformat.PingGateway rotates log files when a
maxFileSize,rotationInterval, orrotationTimeslimit is reached.Set the log rotation parameters so the log isn’t likely to rotate before
rotationFileSuffixchanges.
Filters
-
The
CookieFilteris notJwtSessioncompatible.
-
The JWT created by
JwtBuilderFilteris not encrypted.Carefully consider the security of your configuration when using this filter.
-
Filters can’t use the value of
System.currentTimeMillis().This applies to
JwtBuilderFilterfor claims such asexpandiat.
-
When a user has a pre-existing fragment cookie during authentication—for example, from a previous, incomplete authentication attempt—the pre-existing fragment overwrites the current fragment.
To minimize the effect of this limitation, the
FragmentFiltercookie has amaxAgeproperty you can use to configure the maximum duration it can remain valid.
Handlers
-
ClientHandler blocks with asynchronous HTTP clients.
PingGateway processes responses from asynchronous HTTP clients with two thread pools of the same size:
-
The first thread pool receives the response headers.
-
The second thread pool completes the promise by executing the callback and writing the response content to the stream. Reading and writing to the stream are synchronous, blocking operations.
Synchronous operation can cause routes to declare a blocked ClientHandler. To recover from blocking, restart the route or, if the route is
config.json, restart the server. To prevent blocking, increase the number of worker threads. -
-
The
ClientHandlerandReverseProxyHandlerpropertysystemProxycan’t be used with a proxy that requires a username and password. Use the handler’sproxyproperty instead.
HTTP
-
PingGateway doesn’t forward host information for HTTP/2 requests. * When acting as a reverse proxy and receiving HTTP/2 requests, PingGateway doesn’t forward the host information in the HTTP/2
:authority:pseudo-header to the protected application.If the protected application uses the HTTP/1.1
Hostheader or HTTP/2:authority:pseudo-header to route requests, an error occurs.
-
When acting as a client for HTTPS mutual authentication, the PingGateway client certificate isn’t configurable.
The client certificate must be the first in the
ClientHandlerorReverseProxyHandlerkeystore.
SAML
-
When SAML is used with an AM policy agent, class cast exceptions occur.
-
The
SamlFederationHandlerdoesn’t support filtering.This limitation is mitigated by the SAML 2.0 requests processed with original URI value feature. Do not use a
SamlFederationHandleras the handler for aChain.More generally, do not use a
SamlFederationHandlerwhen its use depends on something in the response. The response can be handled independently of PingGateway and can be null when control returns to PingGateway. For example, do not use this handler in aSequenceHandlerwhere the post-condition depends on the response.
-
When the user defined mapping is incorrectly set, missing SAML assertions produce an infinite loop during authentication attempts.
Scripts
-
PingGateway scripts are not sandboxed. They can access anything in their environment.
Make sure all scripts PingGateway loads are safe.
Streaming
-
PingGateway requires you set the
admin.jsonpropertystreamingEnabledset totrueto process files bigger than 2 GB and Server Sent Events.
Studio
-
Studio deploys and undeploys routes through a main router named
_router, the name of the main router in the default configuration.If you use a custom
config.json, make sure that it contains a main router named_router.
-
To avoid undesirable side effects, Studio only lets you deploy or undeploy routes created and modified using Studio.