For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vmunier_96939's avatar
vmunier_96939
Icon for Nimbostratus rankNimbostratus
Oct 23, 2013

APM authentication only for some urls

Hi, I have one virtual server defined in LTM. (https://webmail.mycompgny.com) I would like to use APM to authenticate users accessing to my virtual server, but only for some URLs (https://webmail.mycompgny.com/EspacePersonnel/....). Others url must be accessible whitout authentication. I don't know really how to do that. I have tried to insert an access policy agent event to set a custom session variable based on the requested uri:

 

 

For this irules event, i have defined 2 branches: if Needauthentication ==0 so final action is ALLOW (no authentication):

 

The problem i see is the HTTP::uri in ACCESS_POLICY_AGENT_EVENT is "/renderer/agent_irule_event_form.eui" and not the original requested uri. Is it possible to retrieve the original requested uri from an ACCESS_POLICY_AGENT_EVENT ?

 

Maybe there is another method to do that? I would kike to avoid create another webservice only for unauthenticated url. If you have any idea? Thanks .

 

application delivery
design
devops
iRules

5 Replies

  • vmunier_96939's avatar
    vmunier_96939
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2013
    Hi, I have just find the variable {session.server.landinguri} so i can't now check the requested url to redirect or no to the external logon page. But a have a second problem: If the first requested url is "public" (not a protected url), i am allowed to acces it (it's good) but i'm also allowed for all the next requested url, even those in the protected folder (/EspacePersonnel/...)... I think I really have not used the right way to do it...
  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 23, 2013

    Hi, there is a box LandingURI, simpler than an irule, and you can set the right authentication steps just after. For ie, /public --> no auth. Else AD auth.

     

    Now, when user is granted, you want to allow only a part of the tree, correct ? In that case, you need to set ACL and assign ACL to the right branch.

     

    By default, when APM session is granted, all resources are allowed. You need to set ACL L7.

     

    En espérant que cela vous aide ;-)

     

    Matt

     

  • vmunier_96939's avatar
    vmunier_96939
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2013

    Hi Matt, Thanks you for your advices. I'll try it. I have also find another way to authenticate the user only for some urls: with an very simple irules linked to my web service: when HTTP_REQUEST {

     

    Authenticate only for the /private folder:

    if {[HTTP::path] starts_with "/private"} { ACCESS::enable } else { ACCESS::disable } } It's working good for my needs.

     

  • Hen_Sirawy's avatar
    Hen_Sirawy
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2020

    How can I set it?

    I want to disable authentication for a specific url.

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Dec 10, 2020

    Has anyone tried this on OWA iapp template 1.6.2 when its working with APM access policy?