Forum Discussion
ssenecal_87343
Nimbostratus
NimbostratusAuthentication using a REST WebService
Does anyone know any trick to simulate HTTP::geturl in an HTTP_REQUEST event? I need to perform OpenSSO token validation in an iRule, but I can't figure out how to check the validity of an incoming token.
Below is what I am trying to do, but obviously the HTTP:geturl section doesn't compile. Any help would be appreciated!
Shaun
when CLIENT_ACCEPTED {
set forceauth 1
set ckname iPlanetDirectoryPro
}
when HTTP_REQUEST {
if {[HTTP::cookie exists $ckname]} {
verify the token is valid
set resp [HTTP::geturl "https://opensso.server.com/opensso/identity/isTokenValid?tokenid=" [HTTP::cookie value $ckname]]
if {$resp eq "boolean=true"} {
set forceauth 0
}
}
if {$forceauth eq 1} {
redirect the user to the OpenSSO server for authentication
HTTP::respond 302 Location "https://opensso.server.com/opensso/UI/Login?goto=" [URI::encode HTTP::uri]
}
}
8 Replies
hoolioCirrostratus
You can use HTTP::retry to make a new HTTP request. Deb posted a helpful article on this a while back:
Conditioning iRule Logic on External Information - 1 - HTTP::retry
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=105
Also, if you're trying to append the output from a command to a string, you should include the command inside the double quotes:
HTTP::respond 302 Location "https://opensso.server.com/opensso/UI/Login?goto=[URI::encode [HTTP::uri]]"
Aaron
ssenecal_87343Thanks! This looks like it should work just fine. Also, thanks for the tip on the strings as well. My TCL is more than rusty!
Shaun- ssenecal_87343I have this implemented, and its "starting" to work except that I am constantly getting LB_FAILED. I'm hoping someone can point me to some obvious things to check. Below is the relevant bit of the iRule
when HTTP_REQUEST {
log local0.debug "PolicyAgent: HTTP_REQUEST [HTTP::cookie count]"
if {$validate eq 0} {
log local0.debug "PolicyAgent: already validated"
pool pool_dev_supportportal
} elseif {[HTTP::cookie exists $ckname]} {
log local0.debug "PolicyAgent: contains cookie"
if client hasn't already been validated, save the
request so we can replay it to the LB server later;
set LB_request [HTTP::request]
inject lookup URI in place of original request;
HTTP::uri "/opensso/identity/isTokenValid?tokenid=[HTTP::cookie value $ckname]"
log local0.debug "PolicyAgent: URI: [HTTP::uri]"
and send the out-of-band validation query to the OpenSSO_pool.
pool OpenSSO
} else {
log local0.debug "PolicyAgent: redirect to LoginUI"
this request doesnt even have a token to validate, so we need to redirect the the Login UI
HTTP::respond 302 Location "http://server.com:8080/da/UI/Login?goto=[URI::encode "http://[HTTP::host][HTTP::uri]"]"
}
}
when LB_FAILED {
log local0.debug "PolicyAgent: LB failed for [LB::server] [LB::status]"
}
/var/log/ltm:
Nov 11 10:59:46 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: HTTP_REQUEST 2
Nov 11 10:59:46 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: redirect to LoginUI
Nov 11 10:59:52 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: HTTP_REQUEST 3
Nov 11 10:59:52 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: contains cookie
Nov 11 10:59:52 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: URI: /opensso/identity/isTokenValid?tokenid="AQIC5wM2LY4SfcyJdxjZhvz0JwE+tUTi411T4JVDyeKyuFU=@AAJTSQACMDE="
Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: LB failed for OpenSSO 172.24.16.45 8080 up
Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: HTTP_REQUEST 3
Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: contains cookie
Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: URI: /opensso/identity/isTokenValid?tokenid="AQIC5wM2LY4SfcyJdxjZhvz0JwE+tUTi411T4JVDyeKyuFU=@AAJTSQACMDE="
Nov 11 11:00:17 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: LB failed for OpenSSO 172.24.16.45 8080 up
The bit that is failing is the "pool OpenSSO". Everything in that pool is marked as up, i am able to ping the pool members from the BIG-IP, and the LB::status indicates that everything is up. What else should I be checking to determine why I would receive LB_FAILED? - hoolioAs a test, you could try removing the iRule from the VIP and configuring the OpenSSO pool as the VIP's default pool. Once the load balancing to the OpenSSO pool is working, you could start testing the iRule again. If the OpenSSO pool members don't have LTM as their default gateway you would want to enable SNAT on the VIP to ensure the responses come back to LTM.
Aaron - ssenecal_87343Thanks Aaron. That is exactly what we did last week and found out we had forgotten to assign an SNAT pool. Once that was done, things were working smoothly. Once I get everything working I will post the final iRule so that anyone else wanting to authenticate traffic against OpenSSO can use it.
- hoolioSounds good.
Thanks,
Aaron - ssenecal_87343For anyone that is interested, I have posted my current version of the "F5 BIG-IP Policy Agent" at http://devcentral.f5.com/wiki/default.aspx/iRules/OpenSSO_authentication.html. It merely ensures that incoming HTTP traffic has been authenticated against the OpenSSO server before passing the request on.
If you find any bugs or know how to optimize it, I would love to hear about it. - hoolioThat's a nice addition. Thanks for posting it.
Aaron
