Forum Discussion
bfrancom_123272
Sep 25, 2015Nimbostratus
APM Issue Injecting New Authorization Header
I have a policy that uses an Active Directory Authentication, then an Active Directory Query for client authorization.
The server side is "dumb." It uses basic auth for authentication. So I inject a ...
Stanislas_Piro2
Oct 26, 2016Cumulonimbus
Hi,
I think the problem with your configuration is that password was not stored with secure flag.
If you want to only support Basic authentication for clientside, use the following irule with a Policy that contains Logon page and LDAP Auth:
when RULE_INIT {
set static::Basic_Realm_Text "Authentication Required"
set static::sso(username) "foo"
set static::sso(password) "bar"
}
when HTTP_REQUEST {
if { ! [ info exists SP_PROFILE_RESTRICT_SINGLE_IP ] } {
set SP_PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip]
}
if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $sessionid] ) } then {
Allow the successfully pre authenticated request to pass
return
} else {
if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } {
set clientless(insert_mode) 1
set clientless(src_ip) [IP::remote_addr]
set clientless(username) [ string tolower [HTTP::username] ]
set clientless(password) [HTTP::password]
if { $SP_PROFILE_RESTRICT_SINGLE_IP == 0 } {
binary scan [md5 "$clientless(password)"] H* clientless(hash)
} else {
binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash)
}
set user_key "$clientless(username).$clientless(hash)"
set clientless(cookie_list) [ ACCESS::user getsid $user_key ]
if { [ llength $clientless(cookie_list) ] != 0 } {
set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
if { $clientless(cookie) != "" } {
HTTP::cookie insert name MRHSession value $clientless(cookie)
set clientless(insert_mode) 0
}
}
if { $clientless(insert_mode) } {
HTTP::header insert "clientless-mode" 1
HTTP::header insert "username" $clientless(username)
HTTP::header insert "password" $clientless(password)
}
unset clientless
}
}
}
when ACCESS_SESSION_STARTED {
if { [ info exists user_key ] } {
ACCESS::session data set "session.user.uuid" $user_key
}
}
when ACCESS_POLICY_COMPLETED {
if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close
ACCESS::session remove
} else if { ([ACCESS::policy result] equals "allow") } {
ACCESS::session data set "session.sso.token.last.username" $static::sso(username)
ACCESS::session data set -secure "session.sso.token.last.password" $static::sso(password)
}
}
this irule will manage user basic authentication and SSO credential mapping with dummy username and password.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects