Forum Discussion
NimbostratusHTML form authentication using BIGIP local database
Hi
I would like to use a HTML form to do authentication and compare the username and password to a data group in the BIGIP but it seems that when i enter the username or password, it is not retrieve and compare to the value in the data group. The idea is when type the URL, it will redirect to the login HTML form page then the value inserted should be retrieve but it is not working. Any idea why it is not working from the code? i am thinking that probably because the POST from the HTML form have no action to be performed. I have reference to some other article regarding this and this is what i got so far. The HTML form is just a HTTP::respond giving the HTML form when a certain URL is type in.
when HTTP_REQUEST_DATA {
set namevals [split [HTTP::payload] "&"]
set [HTTP::username] username
set [HTTP::password] password
set auth_id 1
Break out the POST data for username and password values
for {set i 0} {$i < [llength $namevals]} {incr i} {
set params [split [lindex $namevals $i] "="]
if { [lindex $params 0] equals "username" } {
set auth_username [lindex $params 1]
}
if { [lindex $params 0] equals "password" } {
set auth_password [lindex $params 1]
}
}
AUTH::username_credential $auth_id $username
AUTH::password_credential $auth_id $password
AUTH::authenticate $auth_id
HTTP::collect
if { [HTTP::username] eq "" or [HTTP::password] eq "" } {
Grab username and password from authorization header and compare
if { $username || $password } {
HTTP::respond 200 content "No username and password in Authorization header or Auth header missing."
}
Next look in the datagroup called LocalUsers for the user. The value is a hex D5password.Compare the value in the datagroup to the value of HTTP::password to determine if this is valid.
set password [class lookup "$username" test_local_user]
if { $password eq "" } {
if { $auth_id ==1 } { HTTP::respond 200 content "Auth failed for user [HTTP::username] \ and the value in the datagroup was [class lookup [HTTP::username] LocalUsers] "}
} else {
Convert password to MD5 hash in hex
binary scan [ md5 [$password]] H* hexhash
if { $password } { log local0. "password MD5 = $hexhash" }
if { $password eq $hexhash } {
pool test_pool
if { $auth_id } { HTTP::respond 200 content "Auth succeeded for user [HTTP::username] and the value in the datagroup was [class lookup [HTTP::username] LocalUsers] "}
Exit this event for this iRule to prevent sending a 401 below
return
}
}
}
HTTP::respond 401 content "Error:Authentication Failure" WWW-Authenticate "Basic realm=\"local.loc\""
}1 Reply
Yann_DesmarestCirrus
HTTP_REQUEST_DATA is triggered only when you have something similar in your irule :
Collect a request payload when HTTP_REQUEST { if {[HTTP::method] eq "POST"}{ Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { do stuff with the payload set payload [HTTP::payload] }You can find usefull information here : https://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx
