Forum Discussion

Ryan_Lamore_804's avatar
Ryan_Lamore_804
Icon for Nimbostratus rankNimbostratus
Aug 13, 2013

Authenticated Sessions at the HTTP level for the iControl API (HTTP Headers?)

We're using i-Control-11.2's Interfaces object and doing some serious pounding of the system. BigIp has no trouble handling the load; however, we're going through a third party authentication/authorization application (TACACS+) which is having trouble keeping up.

 

Is there a way to maintain the Axis HTTP session once authenticated? I tried using the SOAP "session" header but that didn't work. I'm pretty sure that's more of an application-level session. I'm assuming the HTTP X-iControl-Session header will function the same way. I'm wondering if the BigIp web server will respect HTTP session authentication.

 

If anyone out there has any ideas, I'm open to trying them. We may be exploring pooling authenticated tcp connections with keep-alive. I'm really hoping there's a better solution.

 

  • Assuming your client making the call supports cookies. Many programatic interfaces do not generally support cookie handling so you would have to capture the returned cookie with your code and ensure you resend it in subsequent iControl requests for this to work.

     

  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account

    I believe the method you are looking for is called setMaintainSession. It is located on the Axis BindingStub objects. Setting it to true will perform the first authentication using HTTP basic auth, then will insert the BigIPAuthCookie (returned in the first response) in subsequent requests. The auth cookie should be checked before HTTP basic auth is attempted. Here is my test code, which is based upon the iControl JAR available on DevCentral (I also had to add the axis and axis-jaxrpc JARs to my CLASSPATH):

     

    import iControl.*;
    
    public class AuthCookieTest {
        public static void main(String[] args) {
            iControl.Interfaces bigip = new iControl.Interfaces();
            bigip.initialize("test-ltm-01", "admin", "admin");
            
            try {
                SystemSystemInfoBindingStub systemInfoStub = bigip.getSystemSystemInfo();
                systemInfoStub.setMaintainSession(true);
                systemInfoStub.get_version();
                systemInfoStub.get_version();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    That should cut down on the TACACS chattiness as only the first call will require a TACACS query for authentication. Let me know if that does the trick.

     

  • You're probably talking way over my head so this response will probably sound stupid but the first thing that comes to mind is a OneConnect profile. Could that be used in your situation to pool connections?