For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MDPF52_180608's avatar
MDPF52_180608
Icon for Nimbostratus rankNimbostratus
Sep 11, 2015

APM & JBOSS JSESSIONID

Hello Devcentral,

 

Currently, I am facing a problem with an implementation of APM as a front-end for a JBOSS application. Basically, the user needs to authenticate on the APM logon page and after that the APM will send an HTTP POST (HTTP Auth) with the parameters used on the Logon page and after that the user will be able to see the protected content. The problem is the following: JBOSS require a valid JSESSIONID cookie the user can not have the JSESSIONID cookie because APM protects that application. Anyone can help me to find a workaround for this?

 

Thanks in advance,

 

Best Regards,

 

M.

 

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 11, 2015

    APM doesn't by default remove application cookies. The issue may be that at the moment the application is sending the cookie to the client that APM is doing something preemptive. I'm guessing the application only sends the JSESSIONID cookie once at the beginning of the session. Are you doing APM Forms-based SSO to the server? You may need to do a client side capture of the JBOSS interaction without APM in the mix to see exactly how the application works and when things happen. So for example, if the application sends the JSESSIONID cookie after the successful form-based logon, APM shouldn't get in the way of that cookie getting all the way to the client. If somehow that cookie is sent before the user posts their credentials, then you might need to code something to preemptively go get it with APM before the logon is posted.

     

  • MDPF52_180608's avatar
    MDPF52_180608
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2015

    Hello Kevin,

    thanks for you reply. I think that maybe I will be able to apply the following workaround:

    • remove the HTTP auth event in the APM Policy
    • create iRule event (how I can apply the multiline option to my regexp? 😞

    when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "AUTH" { create connection set server [connect -protocol TCP -timeout 100 -idle 5 -status conn_status xxx.xxx.xxx.xxx:80]

             create POST data
        set postdata "action=xxxn&username=[ACCESS::session data get session.logon.last.username]&password=[ACCESS::session data get session.logon.last.password]&submit=Login"

         create POST request
        set data "POST /test2 HTTP/1.1\r\nalogin_name: [ACCESS::session data get session.logon.last.username]\r\nContent-Length: [string length $postdata]\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n$postdata"

         send the request
        send -status send_status -timeout 300 $server $data

         receieve the response
        set resp [recv -status recv_status -timeout 1000 $server]

        set jsess  regexp (JSESSIONID=.*?\/chp2$) $resp
        log local0. "\$jsess: $jsess"

         create 2nd connection
        set server [connect -protocol TCP -timeout 100 -idle 5 -status conn_status xxx.xxx.xxx.xxx:80]

         create 2nd POST data
        set postdata2 "action=xxxn&username=[ACCESS::session data get session.logon.last.username]&password=[ACCESS::session data get session.logon.last.password]&submit=Login"

         create 2nd POST request
        set data2 "POST /test2 HTTP/1.1\r\nalogin_name: [ACCESS::session data get session.logon.last.username]\r\nCookie:$jsess\r\nContent-Length: [string length $postdata]\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n$postdata"

         send the 2nd request
        send -status send_status -timeout 300 $server $data

         receieve the 2nd response
        set resp [recv -status recv_status -timeout 1000 $server]



        }   
    }
}

    }

    Do you think that this will work ?

    Thanks in advance,

    M.