Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

bfrancom_123272's avatar
bfrancom_123272
Icon for Nimbostratus rankNimbostratus
Sep 25, 2015

APM Issue Injecting New Authorization Header

I have a policy that uses an Active Directory Authentication, then an Active Directory Query for client authorization. The server side is "dumb." It uses basic auth for authentication. So I inject a ...
BIG-IP Access Policy Manager (APM)
design
devops
security
stan_piron's avatar
stan_piron
Icon for Cumulonimbus rankCumulonimbus
Oct 26, 2016

Hi,

I think the problem with your configuration is that password was not stored with secure flag.

If you want to only support Basic authentication for clientside, use the following irule with a Policy that contains Logon page and LDAP Auth:

when RULE_INIT {
   set static::Basic_Realm_Text "Authentication Required"
   set static::sso(username) "foo"
   set static::sso(password) "bar"
}
when HTTP_REQUEST {
    if { ! [ info exists SP_PROFILE_RESTRICT_SINGLE_IP ] } {
        set SP_PROFILE_RESTRICT_SINGLE_IP        [PROFILE::access restrict_to_single_client_ip]
    } 
    if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $sessionid] ) } then {
         Allow the successfully pre authenticated request to pass
        return
    } else {
        if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } {
            set clientless(insert_mode) 1
            set clientless(src_ip)      [IP::remote_addr]
            set clientless(username)    [ string tolower [HTTP::username] ]
            set clientless(password)    [HTTP::password]
            if { $SP_PROFILE_RESTRICT_SINGLE_IP == 0 } {
                binary scan [md5 "$clientless(password)"] H* clientless(hash)
            } else {
                binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash)
            }
            set user_key "$clientless(username).$clientless(hash)"
            set clientless(cookie_list)             [ ACCESS::user getsid $user_key ]
            if { [ llength $clientless(cookie_list) ] != 0 } {
               set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
               if { $clientless(cookie) != "" } {
                  HTTP::cookie insert name MRHSession value $clientless(cookie)
                  set clientless(insert_mode) 0
               }
           }
           if { $clientless(insert_mode) } {
               HTTP::header insert "clientless-mode" 1
               HTTP::header insert "username" $clientless(username)
               HTTP::header insert "password" $clientless(password)
           }
           unset clientless
        }
    }
}

when ACCESS_SESSION_STARTED {
    if { [ info exists user_key ] } {
        ACCESS::session data set "session.user.uuid" $user_key
    }
}

when ACCESS_POLICY_COMPLETED {
    if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
        ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close
        ACCESS::session remove
    } else    if { ([ACCESS::policy result] equals "allow") } {
        ACCESS::session data set "session.sso.token.last.username" $static::sso(username)
        ACCESS::session data set -secure "session.sso.token.last.password" $static::sso(password)
    }
}

this irule will manage user basic authentication and SSO credential mapping with dummy username and password.