Using HTTP cookies for session tracking

To use HTTP cookies between the REST client and Airlock Gateway (WAF), consider the following configuration hints:

  • Client authentication and identity propagation using the Loginapp REST API: Loginapp >> Authentication Flows
    • Use flow-based authentication: Authentication REST API
    • Add a target application for the protected service and configure it (authentication flow, Airlock Gateway (WAF) roles/credentials, ID propagation)
  • One-Shot End-Point in IAM (Loginapp >> Airlock One-Shot Authentication):
    • Add a target application for the protected service and configure it as follows:
    • Credential Extractor: does not matter because we always send back an HTTP 401 response. Consider the following example:
      • Bearer Token HTTP Header Extractor (as Token Credential) with an arbitrary header name
      • Static Username Password Extractor with arbitrary configuration
    • Authenticator: Denying Authenticator (one-shot must always fail in this scenario)
    • Failure Responses: configure a 401 FINAL_RESPONSE response
    • Identity Propagator: use No Identity Propagator
    • URL Pattern: according to the protected services
    • Shared One-Shot Configuration

      The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.

      The One-Shot end-point as configured above just returns an HTTP 401 without looking at the request's credentials.

      This can also be achieved by the Airlock Gateway (WAF) alone (no IAM involved) using the following Security Gate Expert Settings on the protected service's Gateway (WAF) mapping:

      Authentication.Implicit.Enable                 "TRUE"
      Authentication.Implicit.ErrorPath              "/error_path/one-shot.asis"

      Additionally, you need to create a corresponding asis-Errorpage with the desired HTTP 401 response and update the Gateway (WAF) error pages.

  • Airlock Gateway (WAF) Configuration
    • Make sure there is an IAM mapping and One-Shot Functionality is enabled in the Allow Rule list.
    • Add an Airlock Gateway (WAF) mapping for the service/API to be protected
      • Set Denied access URL to /<iam-mapping-entry-path>/login-oneshot
      • From the Authentication flow drop-down, select One-Shot