Check Authorization / WWW-Authenticate headers

Hi Erich,

I'm not sure if I got every detail of your explanation, but it looks like you are aiming for a simple "username" access-list/filter infront of the real server. Right?

Then you may try this code...

set userlist "foo bar"
catch HTTP::username username
if { [lsearch $userlist $username] equals -1 } then { 
    ACCESS::session remove 
    HTTP::respond 401 content "Authentication Required" \
                     "Content-Type" "text/html" \
                     "WWW-Authenticate" "Basic realm=\"[HTTP::host]\""
    return
}

BTW: If your application doesn't even send an error code 401 on allowed username but wrong passwords, then you have to provide additional information about the HTTP::response the server is sending.

Cheers, Kai

I am not looking to filter before the server, but after. If I enter an incorrect user/pass, I don't even get prompted to re-enter it. It just goes to the Access Denied.

It's not an error. I am returning the Access is Denied to the client in an HTTP::respond. The Authorization header is sent with the request and the WWW-Authenticate header is sent in the response. I am not looking to overwrite/replace the server response, I am looking to check that the user that is successfully authenticated by the server matches a username in a list that I provide. It seems like I cannot do both.

Erich,

Do you want to block if the user provide a wrong password and is prompted again by the server?

when HTTP_REQUEST {
    if {[catch {set username [HTTP::username] }]} { set username ""}
    if { $username ne ""} { 
        set user_provided 1
    } else {
        set user_provided 0
    }

}

when HTTP_RESPONSE {
  if { ([HTTP::status] eq "401") && ($user_provided) } { HTTP::respond 403 content "Access is Denied!" }
}

OK,

Tell me if I am wrong:

• you have a list of authorized users: userlist
• if a user try to authenticate with a user in the userlist, he will be able to authenticate to backend server
• if the user is not in the userlist, he will receive a block page from BigIP

What is the expected behavior if the user does not provide any authentication header (default mode of the first request from a browser)

I only check if the user matches if the Authorization header is not "". However, even when the user enters an incorrect user and/or password, the Authorization header is set. But if this user and/or pass is incorrect (server auth), I want it to prompt again. Right now, it does not because the Authorization header is set.

I have been trying to explain it, but maybe because I have been deep into this, I am not doing a great job of it. I'll try again.

It is a regular web server, 401, Authorization, WWW-Authenticate headers intact.

I am looking to check the user credentials (entered into the browser via 401 challenge) and check that value against a list. That works fine right now. However, I cannot get it to respect the server's response (WWW-Authenticate). I need to be able to continue to prompt the user for creds when they are not correct (as far as Basic Auth is concerned).

My problem is that the WWW-Authenticate comes back on the response side and I am checking the Authorization header on the request side.

Does this irule do what you want?

when HTTP_REQUEST {
    if {[catch {set username [HTTP::username] }]} { set username ""}
    if { ($username ne "") && ([lsearch $userlist $username] equals -1 )} { HTTP::respond 403 content "Access is Denied!" }   
}

when HTTP_RESPONSE {
  if { ([HTTP::status] eq "401") && !([HTTP::header WWW-Authenticate] contains "Basic") } { HTTP::respond 403 content "Access is Denied!" }
}

Erich,

in your irule, replace the code:

set basicuserid [string tolower [getfield [b64decode [lindex [HTTP::header Authorization] 1]] ":" 1]]

with:

if {[catch {set basicuserid [HTTP::username] }]} { set basicuserid ""}

It does the same thing but with the F5 header.