Forum Discussion

Andrea_Arquint's avatar
Andrea_Arquint
Icon for Nimbostratus rankNimbostratus
Apr 05, 2013

clientless irule

Hi,

 

I want to authenticate via APM a WebAPP but without the AuthForm from the APM in the middle.

 

 

So, I want to view directly the WebAPP Login Form but APM should save the cred to the session anyway.

 

Is that possible to build with an iRule? What do I have to do?

 

 

thanx

 

bb

 

application delivery
dev
devops
iRules

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 05, 2013
    Can I assume from your request that you want to use the WebApp's login form, but then capture the credentials in the access policy? If so, you shouldn't need an iRule at all. Follow this section of the Configuration Guide for Access Policy Manager:

     

     

    Adding an external logon page

     

    http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-2-0/apm_config_general_actions.html195539

     

  • Andrea_Arquint's avatar
    Andrea_Arquint
    Icon for Nimbostratus rankNimbostratus
    Apr 08, 2013
    Posted By Kevin Stewart on 04/05/2013 09:53 AM

     

    Can I assume from your request that you want to use the WebApp's login form, but then capture the credentials in the access policy? If so, you shouldn't need an iRule at all. Follow this section of the Configuration Guide for Access Policy Manager:

     

     

    Adding an external logon page

     

    http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-2-0/apm_config_general_actions.html195539

     

    Hi Kevin

     

    Many thanx for your answer. With this solution you have to insert some code into the external login page. I don't want to do that.

     

    I'm looking for a solution without touching anything on the logon page itself.

     

    I think the must be something that intercepts the post that is sent to apm.

     

    I know there is a concept called clientless or somehow this way.

     

     

    Thanx bb

     

  • Andrea_Arquint's avatar
    Andrea_Arquint
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2013

    I found this stuff

     

     

    when HTTP_REQUEST {

     

    enable the clientless-mode so that users will not follow 302 used by APM

     

    HTTP::header replace "clientless-mode" 1

     

    On first request we send the 401 basic auth popup

     

    if { [HTTP::header Authorization] eq "" } {

     

    HTTP::respond 401 WWW-Authenticate "Basic realm=\"srv.example.com\"" Connection close

     

    return

     

    } else {

     

    Extract the username and password from the Authorization header in order to store them in session variables for APM authentication and SSO to back-end server

     

    set username [HTTP::username]

     

    set password [HTTP::password]

     

    }

     

    }

     

     

    But it does a basic auth first and will logically save the creds in the authorization header.

     

    But I'm lookign for a solution to intercept the form post request.

     

     

    Any help are kindly appreciated

     

    bb