Forum Discussion
Joe_Dunn_46490
Nimbostratus
NimbostratusInsert Random Hash
Hi group
I'm wondering if anyone has any experience or direction on how one would do the following:
In an authentication scenario when a user is sending username/password for an iRule to pre-pend or append a string as a one time pad without the user's knowledge which would be used along with the username and password as authentication requirement.
Any pointers would be greatly appreciated.
HamishCirrocumulus
You mean to intercept the request and re-write the URI? That bit is easy... Does it HAVE to be the URI? Seems to me there's less likelyhood for leakage to the client (e.g. by getting a 404 back accidentally for some reason or other) if the string goes in a custom HTTP header (Also inserted by an iRule).
H- Joe_Dunn_46490No not rewrite the URI, but modify the actual password field being transmitted to add the one time pad to the password field. Make it so the user does not know the full password to auth but does not need to know it either.
Michael_YatesHi John,
Where is this password value located? [HTTP::uri], Custom Header Value, Postback Payload Data, etc?
Also, are you trying to pre-pend or append a set string value (known value) or something random?- Joe_Dunn_46490Hey Michael,
User is talking to active sync server proxied by F5. F5 is ssl termination point. So the irule would intercept the connection modify the password by prepending/postpending and then relaying the connection on to the active sync server.
Joe - Michael_YatesIf that communication is using Basic Authentication (which I doubt) you could try using HTTP::password.
If not then you are probably going to have to start looking for it in the Payload. I have never tried to do what you are attempting before so I cannot give any other guidance.