Forum Discussion

smilanko_261688's avatar
smilanko_261688
Icon for Cirrus rankCirrus
Jul 07, 2016

Attempting to incorporate IRule basic auth with an access policy

Here is my scenario:

Some webservice clients might hit a particular url. For the purpose of this question, lets say that is www.example.com/webserviceOne/one

When they hit this, Basic Authentication over HTTP should take the initial step in understanding which client is attempting to connect. Here is a working IRule that is able to parse the request:

when HTTP_REQUEST {

    if {[HTTP::username] eq "" || [HTTP::password] eq ""} {
        HTTP::respond 401 WWW-Authenticate "Basic realm=\"EXAMPLE\""
        return
    } else {
        ACCESS::session data set "session.logon.last.username" [HTTP::username]
        ACCESS::session data set "session.logon.last.password" [HTTP::password]

        log " username set to [ACCESS::session data get session.logon.last.username]"
        log " password set to [ACCESS::session data get session.logon.last.password]"
    }

}

Note, this occurs for each HTTP request.

My APM looks as follows, where the policy should use the set username and password for AD Authenticatation.

As expected, when I do not provide credentials for Basic Auth, I cannot move forward. However, when I do provide some credentials, the issue I am having is that the "AD auth failed" stage is always reached. Examining the logs has also shown me that the log statements I print out above return back to empty, which might be part of the issue here.

On a side note, I have setup an alternative virtual server, which uss a login form instead of IRule basic auth, and using the same credentials, I can get passed the AD Auth stage.

Any ideas as to what I am doing wrong?

BIG-IP Access Policy Manager (APM)
devops
iRules
security

2 Replies

  • smilanko_261688's avatar
    smilanko_261688
    Icon for Cirrus rankCirrus
    Jul 07, 2016

    I solved my problem by using

    when ACCESS_SESSION_STARTED

    instead of

    when HTTP_REQUEST

    My IRule looks like this:

    when ACCESS_SESSION_STARTED {

    if {[HTTP::username] eq "" || [HTTP::password] eq ""} {
        ACCESS::respond 401 WWW-Authenticate "Basic realm=\"EXAMPLE\""
        return
    } else {
        ACCESS::session data set "session.logon.last.username" [HTTP::username]
        ACCESS::session data set "session.logon.last.password" [HTTP::password]
    }

}
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jul 07, 2016

    APM does have most of this functionality built-in, so you don't really need to write it from scratch like you did. To solve it you can either do it like you're doing or use "Clientless Mode" and "401 Response" as mentioned in the other thread you posted.

    The reason your authentication is not working is that you have to set the password variable in an encrypted way because "AD Auth" will try to decrypt it.

    Instead of:

            ACCESS::session data set "session.logon.last.password" [HTTP::password]

    use

            ACCESS::session data set -secure "session.logon.last.password" [HTTP::password]