For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MattUCG_59145's avatar
MattUCG_59145
Icon for Nimbostratus rankNimbostratus
Aug 21, 2008

Automatic LDAP Login

My site is running Java System Directory Server with an ACL to control access to certain parts of the site. When users browse to those areas, an username/password dialog appears.

 

 

There is a certain customer who needs to be given access to any part of the site without logging in. Due to the fact that the http://username:password@website syntax is no longer valid, I am looking to create and iRule that will recognize a certain HTTP Referrer and when traffic comes from that referrer, a hard-coded username/password will be used to log the user into the protected area without displaying the login dialog.

 

 

Does anyone have any suggestions?
application delivery
dev
devops
iRules

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 26, 2008
    Hi there,

     

     

    Considering the Referer header can easily be forged, I wouldn't suggest using such a methodology. If you can safely assume that if a person made a successful request to one page they can then access the other areas, you could define the required pages and then insert a cookie with an encrypted or random token as the value. On requests to the other areas where you want to insert the credentials, you could validate the cookie exists and then allow access.

     

     

    You can define the URIs in a datagroup (called a class in the bigip.conf) and then check the requested URI using matchclass. If the criteria for allowing access to the restricted URIs is met, you can insert a cookie in the response using HTTP::cookie in the HTTP_RESPONSE event. You can generate the token using the HTTP::cookie encrypt or rand functions. If you used rand, you'd need to insert the token in the session table so you could validate subsequent requests.

     

     

    If it's a specific group of users that need to use the http://username:password@website syntax, could you just tell them to type in the user/pass when they get a 401 prompt? Or could they make a registry change to re-enable this syntax (Click here)? Or are these users coming from a static IP range? If so, you could insert the credentials based on client IP address.

     

     

    Aaron