Forum Discussion

Damir_Kovacic_2's avatar
Icon for Nimbostratus rankNimbostratus
Apr 14, 2011

APM HTTP sessionless support for web services

I have a question how to support web services authentication over APM. I have managed to get basic authentication using iRule to do ACCESS::session insertion of username and password. However, I found out that after ACCESS_POLICY_COMPLETED, APM does another HTTP redirect (302) to /my.policy in order to set MRHSession cookie. Our XML-RPC client does not support advanced redirects. Is there a way to avoid that?


9 Replies

  • Did anyone ever answer this question? I would like to know if APM can secure web services.
  • kunjan's avatar
    Icon for Nimbostratus rankNimbostratus

    Seems like client less mode can meet your requirement.

    when HTTP_REQUEST {
        HTTP::header insert "clientless-mode" 1
  • We have been asked the same question at my company and we told them we would not create some hacked up, Frankenstein APM for them because no one would be able to support it. I really like having vacations so even though I could write an iRule to do that, I would be the only who could support it. Chances are that you would be in the same predicament.


    If you need to protect web services I would suggest limiting firewall access to the client IPs, client cert authentication via the LTM or telling the developer to write a secure app. You would enjoy your time off much more if you did.


  • Well, it has been three years since the original question. At that time (I think that the actual version was 10.1), APM simply had to work with cookies. We ended up patching the client and the server side to support cookies and redirection. Then we hit the problem of performance (each login process took over 1000ms). So we simply dropped supporting web services over APM. I hope that was improved in the later versions.


  • Absolutely crazy that this wasn't answered sooner. As Kunjan alludes, clientless mode would indeed be a solution for web services authentication proxy with APM. The idea behind clientless mode, which I do believe was available in v10, is to disable the APM session redirects. In a normal APM session, the first request is met with a redirect to /my.policy and a Set-Cookie with the initial MRHSession token. Subsequent requests bounce back and forth between the client and APM while the visual policy is being evaluated. At the end of that evaluation, the session is marked "allow" and a final redirect sends the client back to the originally-requested URI. Clientless mode not only disables these book-ended redirects, but also injects the session token in the first response from the server/application. This does have a few implications though. First and foremost, you cannot use any agents that interrupt the flow of traffic, like a message box or logon form. This shouldn't be an issue with web services, but something to keep in mind nonetheless. Second, APM is still going to send back a session cookie so that subsequent requests don't require VPE evaluation. If the web services agent does not support cookies, then each request will amount to a separate APM session. This can have implications in your APM concurrency limits. In a situation like this, you may want to consider lowering APM session idle time so that they don't stick around unnecessarily for the default 900 seconds. And finally, browser-based authentication is typically an interactive mechanism (logon page, credential entry, certificate selection, etc.), and APM is specifically designed to handle these types of authentication. In the absence of interaction though, like with a web services connection, you may necessarily need to alter the way APM collects identity and credential information, and that'll depend on how you're authenticating the web services agent.


  • I posted to this thread a year ago for a different reason, running webservice behind APM, now I'm back a year later because of a similar issue.


    I need to test some applications that are gated behind APM with SoapUI. The problem is it's impossible to script with all the redirects. I'm going to digest Kevin's post above and take another stab at over the weekend.


  • You could try to disable session id rotation:- tmsh modify sys db apm.rotatesessionid value disable I believe the session id is rotated for security reasons, but this is not always compatible with clients