iRule for access VIP based on user name

Hi,

Here is a 9.x example which prompts the user to enter credentials if valid credentials haven't already been provided. If an auth header has a value, that value is checked against a single base64 encoded user:pass.

http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/13423/afv/topic/Default.aspx27783

You should be able to modify this for 10.x to support your requirements. Reply here if you want more detailed suggestions.

Or if you just want to check every request for a user name which is defined in a string datagroup, you could use something like this:

when HTTP_REQUEST {  
    
   log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to \ 
     [HTTP::host][HTTP::uri] with auth value: [HTTP::header value Authorization]"  
    
    Check if there is an authorization header with a length  
   if { [HTTP::header value "Authorization"] eq ""}{

       No Auth header.  Send a 401 to request credentials?  Or a 403 to block the request?

   } else {

       Auth header had a value, so check if the username exists in a datagroup of valid users
      if { [class match [HTTP::username] equals my_valid_usernames_class] }{

          valid request.  Do something?  Or just allow request to go to virtual server's default pool.

      } else {
          Invalid username.  Send a 401 to request credentials?  Or a 403 to block the request?
      }
   }
}

Aaron

Note that I'm assuming something else behind LTM would actually validate the password is correct for the given username in the latter example.

 

 

Aaron

George wrote up that very thing back in September: http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086387/HTTP-Basic-Access-Authentication-iRule-Style.aspx Click Here