Any way to read the CGI collection?

I assume remote user is the base64 encoded value in the Authorization header. If so, you can use HTTP::header value Authorization to get the header value, decode it using b64decode and then split the value on the decoded colon:

 

 

set auth_value [HTTP::header value Authorization]

 

set decoded_auth_value [b64decode $auth_value]

 

set user [getfield $decoded_auth_field 1]

 

set pass [getfield $decoded_auth_field 2]

 

 

or:

 

 

set user [getfield [b64decode [HTTP::header value Authorization] 1]

 

set pass [getfield [b64decode [HTTP::header value Authorization] 2]

 

 

Most of the other CGI variables are available using various commands:

 

 

- client IP address and port: [IP::client_addr] and [TCP::client_port]

 

- VIP IP and port by using [IP::local_addr] and [TCP::local_port] in a client side event

 

- request method: [HTTP::method

 

- path: [HTTP::path]

 

- URI: [HTTP::uri]

 

- query string: [HTTP::query]

 

- content type: [HTTP::header value Content-Type]

 

- content length: [HTTP::header value Content-Length]

 

 

For details on the commands, you can check the corresponding wiki pages:

 

 

http://devcentral.f5.com/wiki/Default.aspx/iRules.HomePage (Click here)

 

 

Aaron

Might be what I need, but when I do a HTTP::header exsits Authorization, I get a 0 back indicating it doesn't exist. Why would it not be in the collection?

 

 

Tom

 

Hi Tom,

 

 

Did the client send a user/pass encoded in the authorization header for the request you were testing with? If so, the data should be available.

 

 

Aaron

I'm guessing no. There's no Basic Auth prompt for them. The website is set up to not allow anonymous, and allow Windows intergrated, which I thought would force the credentials of the logged on user to be passed.??

 

 

Tom

 

NTLM is slightly different. An authorization header is still used, but the user/pass aren't sent in every request. Take a look at this page which gives a good summary of the "protocol":

 

 

NTLM Authentication Scheme for HTTP

 

http://www.innovation.ch/personal/ronald/ntlm.html

 

 

If you use a browser add-on like Fiddler for IE or LiveHttpHeaders for FF, you can base64 decode the messages to see exactly what's being sent.

 

 

Aaron

Well, after going through that, and running some more tests, looks like I can't use that for what I wanted.

 

 

Tom

What were/are you trying to do?

 

 

Aaron

We have a service account that is used by operators in a computer room monitoring situation (computer_operators). They need to be able to get to a web application (What's Up Gold) to monitor status of servers.

 

We have a requirement that all user accounts use PKI (CAC) to access web applications, but have a process to get exception for a user or 2 in certain situations.

 

The computer_operators account does not have a CAC, and can't be issued one.

 

 

I was going to set up to force all users be required to present PKI except for the computer_operators account.

 

 

Tom