Microgateway request processing steps

Microgateway receives HTTP/HTTPS requests and forwards them to the back-end service. Finally, the back-end creates a HTTP/HTTPS response, which the Microgateway sends to the requesting client.

During this process, many steps are being processed by Airlock Microgateway. Generally they can be separated into the Request processing and Response processing tasks.

Microgateway-manual-request-processing-steps

Request processing		Response processing
1. TLS handshake ● Present TLS server certificate ● Check client certificate (optional) 2. Establish session handling (optional) 3. JWT validation (optional) ● JWT validation ● Role extraction from JWT ● Client-ID extraction from JWT 4. Authentication enforcement (optional) 5. Path and parameter validation ● Parameter normalization and character encoding ● Check URL encryption (optional) 6. Policy enforcement ● HTTP request limits ● JSON limits ● OpenAPI specification validation (optional) ● Check CSRF Token (optional) ● Check Smart form protection (optional) ● Allow rules ● Deny rules ● General request limits 7. Request actions 8. Request enrichment ● Add cookies from cookie store ● Decrypt protected cookies ● Add headers from header store ● SSO credential propagation ● Add environment cookies 9. Send request to back-end		1. Receive response from back-end 2. Control API processing 3. Rewriting ● Error page replacement (optional) ● JSON rewriting (optional) ● Any content rewriting (optional) ● HTML rewriting (optional) 4. Inject protection mechansims ● CSRF Token injection (optional) ● URL encryption (optional) ● Smart form protection (optional) ● Cookie protection 5. Response actions 6. OpenAPI specification validation (optional) 7. Session handling: Update information (optional) 8. Send response to client

For every request the filtering engine writes a log message with the "log_id":"WR-SG-SUMMARY". Even without going through the Response processing steps.