Insert Basic Auth Header
- Sep 14, 2022
One thought that comes to mind is that you might be able to do a simple header injection via the HTTP profile or via an iRule. I do want to note that this design would allow any client to connect to your web application as whatever user is provided in the header, so it would not necessarily be much better than regular anonymous usage. Further, the password is only encoded with base64, so is essentially the same as clear text, you will want to use SSL/TLS to protect the communication.
To build the authorization string, combine the username and password, separated by a colon, and then base64 encode the whole string. For example RFC7617 shows the username Aladdin with password 'open sesame', which results in the base64 string QWxhZGRpbjpvcGVuIHNlc2FtZQ==. Be sure to come up with the value required for your implementation. CyberChef is a handy tool to do base64 operations.
In the HTTP profile, set the Request Header Insert value to:
Authorization Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
In an iRule, this might look like this. (I haven't tested this):
when HTTP_REQUEST_RELEASE { HTTP::header insert Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" }
Last note: that this method might not work if the application server is expecting to respond with a 401 error first and then have the user authenticate second. You would need additional logic in that case.
Thanks,
Josh Becigneul