Forum Discussion
daboochmeister
Cirrus
CirrusAPM session username/password vars not copied in from iRule? Not showing in session report, and auth always fails
I am setting up a clientless mode policy for a web service, where the caller passes in a basic auth header, and I want to pass the provided username/password into the policy. The iRule I'm using to d...
daboochmeisterCirrus
CirrusThank you, Amit - adding the "ACCESS::restrict_irule_events disable" didn't have any effect (in and of itself, but I left it in for your 2nd part, just in case).
I think I may be running into security restrictions on setting session.logon.last.password (" target="_blank">discussed here). I did your part 2 (though the HTTP:: vars weren't accessible in ACCESS_POLICY_AGENT_EVENT, so i had to create irule vars in ACCESS_SESSION_STARTED and copied from those). Then in the policy, i have a var assignment agent to copy those session.custom.username/password vars to session.logon.last.username/password. That gets me farther - the LocalDB auth agent at least checks the correct userid now. BUT - the password value appears not to have assigned. The password check always fails.
In the session report, I get an error msg like:
LOCALDB agent: (logon attempt:0) authenticate with '$CK$8JkcxNSl$6pu1Rjb3KxeNCSl7TmYsdQ==' failed
I'm not sure what that hash is ... but I do know I'm entering the correct password, and in the iRule that password is correctly present in the irule var that I assign to session.custom.password.
Hmm. Did something change in recent versions in session variable security protections or something?
- daboochmeisterThat link should be: https://devcentral.f5.com/s/feed/0D51T00006i7LsPSAU
- Amit_Karnik_269
Nimbostratus
Indeed that has changed, to access secure variables you have to use the -secure flag ACCESS::session data get -secure Even then I think it may not allow you to set session.logon.last.password. What is your final intent ? If you want to do a SSO assignment, you could do a variable assign to a new variable, lets say session.logon.last.newpassword and then use that. Remember to mark it as secure otherwise the password is visible in reports and such. - daboochmeisterIntent is to use basic authentication against a local user db for a web service, in clientless mode, since the web service clients may not support the standard APM session redirections. I just need some way to feed the HTTP::password, plucked from the Authorization header, into the Local DB auth agent. It sounds like this used to be easy, just do the stuff I've tried. Does anyone have such a scheme working on 11.5.1 or later?