Message Capture with OpenIG

Setting up protection for a web application or API is much easier if you know what is actually going on between client and server.
OpenIG functions by the concept of a reverse web proxy, primarily with the objective to enforce authentication and authorization. However it also allows to simply log inbound and outbound messages to a file.

The OpenIG Studio provides a straightforward way to configure capture inbound and outbound messages.



















The capture is logged by default in the route-rocksock.log file. In this example, openig.example.com is the external hostname which hits OpenIG. The internal hostname is internal.company.com. This is not know to the client but configured in the route configuration for /rocksock in OpenIG.
The route-rocksock.log file from the example :

--- (request) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 --->   

GET http://openig.example.com:8080/rocksock/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: en;q=1,de;q=0.9,en-US;q=0.8,fr-FR;q=0.7,it;q=0.6
connection: keep-alive
host: openig.example.com:8080
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

--- (request) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 --->

GET http://internal.company.com:9080/rocksock/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: en;q=1,de;q=0.9,en-US;q=0.8,fr-FR;q=0.7,it;q=0.6
connection: keep-alive
host: openig.example.com:8080
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

<--- (response) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 ---

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
Date: Tue, 25 Oct 2016 16:13:48 GMT
ETag: W/"42-1477411512000"
Last-Modified: Tue, 25 Oct 2016 16:05:12 GMT

[entity]

<--- (response) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 ---

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
Date: Tue, 25 Oct 2016 16:13:48 GMT
ETag: W/"42-1477411512000"
Last-Modified: Tue, 25 Oct 2016 16:05:12 GMT

[entity]

The route configuration as produced by the OpenIG Studio looks as follows :
{
  "name": "rocksock",
  "baseURI": "http://internal.company.com:9080",
  "condition": "${matches(request.uri.path, '^/rocksock')}",
  "monitor": false,
  "capture": [
    "request",
    "response"
  ],
  "heap": [
    {
      "type": "ClientHandler",
      "name": "ClientHandler",
      "capture": [
        "request",
        "response"
      ]
    }
  ],
  "handler": "ClientHandler"
}

The IG studio will be shipped with ForgeRock Identity Gateway 5.0. For more, see the OpenIG Studio introduction .

By Joachim Andres