For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cwong_134054's avatar
Cwong_134054
Icon for Nimbostratus rankNimbostratus
Aug 18, 2014

HTML form authentication using F5 local database

Hi

 

I would like to use a HTML form to do authentication and compare the username and password to a data group in the BIGIP but it seems that when i enter the username or password, it is not retrieve and compare to the value in the data group. The idea is when type the URL, it will redirect to the login HTML form page then the value inserted should be retrieve but it is not working. Any idea why it is not working from the code? i am thinking that probably because the POST from the HTML form have no action to be performed. I have reference to some other article regarding this and this is what i got so far.

 

    when HTTP_REQUEST {

    if { [HTTP::uri] equals "/"} {
HTTP::respond 200 content "

   
     
    
    
    




    when HTTP_REQUEST_DATA {

      set namevals [split [HTTP::payload] "&"]
      set [HTTP::username] username   
      set [HTTP::password] password    
    set auth_id  1
     Break out the POST data for username and password values
    for {set i 0} {$i < [llength $namevals]} {incr i} {
        set params [split [lindex $namevals $i] "="]
        if { [lindex $params 0] equals "username" } {
        set auth_username [lindex $params 1]
        }
        if { [lindex $params 0] equals "password" } {
        set auth_password [lindex $params 1]
        }
    }
    AUTH::username_credential $auth_id $username
    AUTH::password_credential $auth_id $password
    AUTH::authenticate $auth_id
    HTTP::collect



    if { [HTTP::username] eq "" or [HTTP::password] eq "" } {
         Grab username and password from authorization header and compare
        if { $username || $password } { 
            HTTP::respond 200 content  "No username and password in Authorization header or Auth header missing." 
            } 
     Next look in the datagroup called LocalUsers for the user. The value is a hex MD5password.Compare the value in the      datagroup to the value of HTTP::password to determine if this is valid.
    set password [class lookup "$username" test_local_user] 
    if { $password eq "" } {
        if { $auth_id ==1 } { HTTP::respond 200 content  "Auth failed for user [HTTP::username] \ and the value in the datagroup was [class lookup [HTTP::username] LocalUsers] "} 
    } else {
       Convert password to MD5 hash in hex
        binary scan [ md5 [$password]] H* hexhash 
        if { $password } { log local0. "password MD5 = $hexhash" } 
        if { $password eq $hexhash } { 
            pool test_pool
            if { $auth_id } { HTTP::respond 200 content "Auth succeeded for user [HTTP::username] and the value in the datagroup was [class lookup [HTTP::username] LocalUsers] "}
             Exit this event for this iRule to prevent sending a 401 below
            return 
        } 
    } 
}
    HTTP::respond 401 content "Error:Authentication Failure" WWW-Authenticate "Basic realm=\"local.loc\""
    }
application delivery
devops
iRules
LTM

1 Reply

  • Cwong_134054's avatar
    Cwong_134054
    Icon for Nimbostratus rankNimbostratus
    Aug 18, 2014

    Repost

    when HTTP_REQUEST_DATA {

  set namevals [split [HTTP::payload] "&"]
  set [HTTP::username] username   
  set [HTTP::password] password    
  set auth_id  1
   Break out the POST data for username and password values
 for {set i 0} {$i < [llength $namevals]} {incr i} {
    set params [split [lindex $namevals $i] "="]
    if { [lindex $params 0] equals "username" } {
      set auth_username [lindex $params 1]
    }
    if { [lindex $params 0] equals "password" } {
      set auth_password [lindex $params 1]
    }
  }
  AUTH::username_credential $auth_id $username
  AUTH::password_credential $auth_id $password
  AUTH::authenticate $auth_id
  HTTP::collect



if { [HTTP::username] eq "" or [HTTP::password] eq "" } {
     Grab username and password from authorization header and compare
    if { $username || $password } { 
        HTTP::respond 200 content  "No username and password in Authorization header or Auth header missing." 
        } 
 Next look in the datagroup called LocalUsers for the user. The value is a hex D5password.Compare the value in the datagroup to the value of HTTP::password to determine if this is valid.
        set password [class lookup "$username" test_local_user] 
        if { $password eq "" } {
            if { $auth_id ==1 } { HTTP::respond 200 content  "Auth failed for user [HTTP::username] \ and the value in the datagroup was [class lookup [HTTP::username] LocalUsers] "} 
        } else {
           Convert password to MD5 hash in hex
            binary scan [ md5 [$password]] H* hexhash 
            if { $password } { log local0. "password MD5 = $hexhash" } 
            if { $password eq $hexhash } { 
                pool test_pool
                if { $auth_id } { HTTP::respond 200 content "Auth succeeded for user [HTTP::username] and the value in the datagroup was [class lookup [HTTP::username] LocalUsers] "}
                 Exit this event for this iRule to prevent sending a 401 below
                return 
            } 
        } 
    }
HTTP::respond 401 content "Error:Authentication Failure" WWW-Authenticate "Basic realm=\"local.loc\""
}