Forum Discussion
NimbostratusDisable HTTP 302 Found redirect for B2B use case
Newbie!
Our use case is a B2B REST API and generally no user access via a browser except for testing. We are using TLS 1.2 Mutual Authentication (MA). An HTTP 302 Found including a set of cookies is returned after a successful TLS negotiation. A browser (at least Chrome and Firefox) or Postman deal with the redirect seamlessly, returning part of the cookie in the client request. From a test user experience point of view it all works and the REST API is accessible (the redirect is not visible).
However, when a non-browser (lets for arguments sake say Java) based request is used, the HTTP 302 Found needs to be explictly dealt with, which creates complexity that I am hoping is unnecessary for B2B.
Is the redirect configurable? Can it be disabled? Possibly in an iRule or Access Policy?
- Kai_Wilke
MVP
Hi Tony,
APM supports a clientless-mode to allow transparent authentication (without triggering the HTTP redirect to /my.policy). You may check out APM Operations Guide and search for "Clientless mode" to get an overview of this feature...
BIG-IP APM Operations Guide
Keep in mind that APMs clientless-mode still depends on a APM session cookie, to authenticate subsequent requests after authentication. In client-less mode the cookie will be issued on the very first application server response.
If your user-agent does not support cookies, you have to develop an
based iRule in front of APM, that uses certain certificate information as the[ACCESS::user]
value to locate existing APM sessions for the currently connected user and to finally inject the APM session cookie to the ongoing request.session.user.uuidWiki: ACCESS::user
https://devcentral.f5.com/wiki/iRules.ACCESS__user.ashx
Cheers, Kai
