For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_41583's avatar
Jason_41583
Icon for Nimbostratus rankNimbostratus
May 12, 2013

APM authentication User ID changed by application query

Hello all.     I have kind of strange situation that I am trying to sort out, we ahve an existing application that is going to use the APM for authentication but our problem is the existing a...
app sec
BIG-IP Access Policy Manager (APM)
security
Jason_41583's avatar
Jason_41583
Icon for Nimbostratus rankNimbostratus
Jun 11, 2013
Kevin,

 

 

Thanks for all of your help on this, I have one last issue with this deployment the application team wants to use their login page hosted on the server the application is on. Is there a way to call their login page and preform the same lookup ? I tried using the following which needs help but it does not seem to being getting called anyway; any guidance you have is greatly appreciated.

 

 

thanks,

 

 

Jason

 

 

Begin iRULE:

 

 

when HTTP_REQUEST {

 

 

Check the requested HTTP path

 

switch -glob [string tolower [HTTP::path]] {

 

"/api/*" -

 

"api" -

 

"/api/" {

 

Enable APM for these paths

 

ACCESS::enable

 

}

 

default {

 

Disable APM for all other paths

 

ACCESS::disable

 

}

 

}

 

 

 

 

Check for post requests to Login URI

 

if {[HTTP::uri] starts_with "/api/security/Login" && [HTTP::method] eq "GET"}{

 

 

Collect up to 1Mb of request content

 

if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] < 1048577 } {

 

set content_length [HTTP::header "Content-Length"]

 

} else {

 

set content_length 1048576

 

}

 

if { $content_length > 0 } {

 

HTTP::collect $content_length

 

}

 

}

 

}

 

 

when HTTP_REQUEST_DATA {

 

Parse the username and password from the collected payload

 

set SKlogin [HTTP::username]

 

set password [HTTP::password]

 

HTTP::release

 

}

 

 

when ACCESS_SESSION_STARTED {

 

if { [ info exists username ] } {

 

 

get client login

 

set SKlogin [ACCESS::session data get "session.logon.last.username"]

 

open the connection to SK-API

 

set conn [connect -timeout 100 -idle 30 -status conn_status 172.19.16.100:5538]

 

log local0. "Lookup Log: Connection returns $conn and status $conn_status "

 

 

 

 

set req " GET /api/security/GetADUsername?skUsername=$SKlogin HTTP/1.0\r\n\r\nConnection: Close\r\n\r\n"

 

log local0. "Request is: $req"

 

set send_info [send -timeout 200 -status send_status $conn $req]

 

log local0. "Send status is: $send_status"

 

set recv_data [recv -timeout 200 -status recv_status $conn]

 

log local0. "Recieve status: $recv_status and data: $recv_data"

 

 

close the connection

 

close $conn

 

 

 

find the payload after the response headers

 

set SAM [findstr $recv_data "user=" 5 " "]

 

 

create a new access session variable with the paylaod data

 

 

if { $SAM ne "" } {

 

Set a SamAccountName session variable to the value 'SAM'

 

ACCESS::session data set session.temp.username [string trim $SAM]

 

log local0. "SAM= $SAM"

 

 

 

HTTP::header insert "X-USERNAME" $SAM

 

 

 

 

}

 

}

 

}

 

Related Content