Forum Discussion
Ingebrigt_Maurs
Nimbostratus
NimbostratusClientless mode redirects on Deny
Hi !
I'm writing an access policy for a legacy webservice. Existing clients authenticate with Basic auth and can't follow redirects. To avoid redirects I enabled clientless mode:
when HTTP_REQUEST {
HTTP::header insert "clientless-mode" 1
}
I then grab HTTP::username and HTTP::password in an iRule, populate the relevant session parameters, and do my authentication and other stuff. So far so good.
But I run into trouble when trying to handle failed authentications. If I route to a standard Deny ending I get a 302 redirect to an error page (even in clientless mode).
My legacy clients expect a 401 response with a nice error message page. How to do this?
- I have tried to customise the Deny ending, but can't find a setting to override the HTTP response code
- I have tried adding an iRule and do HTTP::respond 401. But HTTP::respond doesn't work properly inside a ACCESS_POLICY_AGENT_EVENT event. (I get a response with no HTTP response code and the error SSL read: error:00000000:lib(0):func(0):reason(0), errno 10054)
- My Access policy is complex and involves several authentication methods, so I can't put HTTP::respond in an AUTH_FAILURE event.
1 Reply
Ingebrigt_MaursI was able to solve this problem with something like this:
when ACCESS_POLICY_COMPLETED { set policy_result [ACCESS::policy result] switch $policy_result { "allow" { } "deny" { ACCESS::respond 401 content $static::actsync_401_http_body Connection close ACCESS::session remove } default { ACCESS::respond 503 content $static::actsync_503_http_body Connection close ACCESS::session remove } }
