For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dubdub's avatar
dubdub
Icon for Nimbostratus rankNimbostratus
Sep 23, 2013

ACCESS::session data get - not available on 10.2.2?

Hi all,

 

A quick question on "ACCESS::session data get" - I am using it in an HTTP_REQUEST event on 11.4, and when I brought a copy of the irule down to a 10.2.2 instance, I get a "command is not valid in current event context (HTTP_REQUEST)" for "ACCESS::session data get session.ldap.last.attr.memberOf". I looked at https://devcentral.f5.com/wiki/iRules.ACCESS__session.ashx for the valid event list, but there is none there. Is this function truly not available in 10.2.2?

 

Thanks, Jen

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 23, 2013

    A few things:

     

    1. The ACCESS commands were introduced in 10.1. Silly question, but are you certain that APM is provisioned on your 10.2 platform?

       

    2. The HTTP_REQUEST event is generally not the best place to use ACCESS commands (except perhaps for things like [ACCESS::session exist ]). If you want to guarantee that the access session is available in the HTTP request cycle, use the ACCESS_ACL_ALLOWED event instead.

       

  • dubdub's avatar
    dubdub
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2013

    Hey Kevin,

     

    Yep, it is provisioned - nominal, but it's there. I have an APM policy created and associated with the virtual server that I want to use this iRule with.

     

    I need the user's group membership list inside of HTTP_REQUEST due to the fact that I am replacing a retiring authentication product with APM. I am storing URIs with associated AD groups in a data group, and on each request I am querying the user's group membership against the approved group list for the given URI. I guess I could store the user's group membership from my LDAP query during the ACCESS_POLICY_COMPLETED event in a subtable or something, and then query that from the HTTP_REQUEST event. I could give that a try before upgrading to 11.4.

     

    Thanks, Jen

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 24, 2013

    The ACCESS_ACL_ALLOWED event is synonymous with the HTTP_REQUEST event, except that it fires AFTER access policy completion (and on every request beyond access policy evaluation), so the session.ldap.last.attr.memberOf session variable would be guaranteed to exist there if the LDAP query succeeded. Any command that you would run in HTTP_REQUEST (ie. data group lookup, URI evaluation, etc.) could also be done in ACCESS_ACL_ALLOWED.

     

    I can't speak to why 10.2 is reporting invalidity in the current context, but generally speaking the HTTP_REQUEST event fires irrespective of the access policy, so you would have to take extra measures to use ACCESS commands there.

     

  • dubdub's avatar
    dubdub
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2013

    I was just able to create the iRule successfully on 10.2.2. by changing the HTTP_REQUEST event to ACCESS_ACL_ALLOWED. Now to begin testing :)

     

    Thank you Kevin, I appreciate the help!

     

    Thanks, Jen