For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Nov 13, 2019
Solved

How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly

How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly. I could probably setup the advanced resource assignment item and create a bunch of branch...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Nov 15, 2019

    So URI condition matches... 

    /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)

    and in TCL with && operator, second condition is evaluated only if first is successful 

    /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"

    but this variable does not exists:

    /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHED

    look in session variables the name of the expected variable... you may find a variable with "last" to replace the box name like:

    session.oauth.client.last.id_token.group
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Nov 13, 2019

this is not correct syntax... except if your URI contains a star character...

expr {[mcget {session.server.landinguri}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}

when you configure branches, there is always a fallback branch for sessions not matching any branches.

  • sricharan61's avatar
    sricharan61
    Icon for Cirrus rankCirrus
    Nov 14, 2019

    I have tried this solution, the logs show the advanced resource assign trying to match these rules as well, but none of the rules are matched and ends up going to the fall back branch. I have made sure I am meeting all the requirements of URI condition and the group OID comming in. The logs show the OID for the mentioned group come in for the users request as well.

     

    Is the HTTP::URI supported to be used in an expression ? I am using this

     

    expr {[mcget {HTTP::URI}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}

     

    It looks like its not able to look for the URI at all.

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Nov 14, 2019

      Sorry,

       

      I saw the wildcard issue but not the HTTP::uri... ;)

       

      HTTP::uri is per request (only in irules) ... if you want the initial uri matching, you have to use : session.server.landinguri

       

      the code above is changed to match this.

       

      if the goal is to restrict URI after authentication, you must create ACL with /SOANDSO1/* in path, then assign this ACL in Advanced ressource assign object.