Forum Discussion
NimbostratusiRULE to capture user credentials in SOAP-XML Payload in Clientless Mode
We have application limitation from vendor where they don't support authentication based on Multiple Domains. I am configuration iRule and APM to achieve short coming of application.
External Application-A Fat client => calls application-B using particular URI (Virtual Server on F5)
Application B URI is defined as plugins in Application A fat client.
when HTTP_REQUEST
- HTTP::header insert "clientless-mode" 1 (iRule will put into clientless mode for /xyz URI since there are other URIs for webinterface)
- iRule will match if http menthod id post and content-Type contains "soap+xml" -Collect HTTP content
when HTTP_REQUEST_DATA - Go through XML - Collect username "user1@domain1.com " - Collect Password "12345678"
When Access_Session_started{
Assign value collected previously to variable session.logon.last.username $username session.logon.last.password $password }
APM policy will be look like as follows:
Start => if username contains domain1 => domain1\$username => RADIUS => Allow => Deny
=> if username contains domain2 => domain1\$username => RADIUS => Allow
=> Deny
Stanislas_Piro2Cumulonimbus
Hi,
you can use this irule as example:
when HTTP_REQUEST { set apmsessionid [HTTP::cookie value MRHSession] if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0} if {!($apmstatus)} { Insert Clientless-mode header to start APM in clientless mode if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"} } Collect Post Data to be parsed in HTTP_REQUEST_DATA if { [HTTP::method] eq "POST" }{ set clength 0 if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}{ set clength [HTTP::header Content-Length] } else { set clength 1048576 } if { [info exists clength] && $clength > 0} { HTTP::collect $clength } } } when HTTP_REQUEST_DATA { Parse XML Data set xmluser [findstr [HTTP::payload] "" 15 "<"] set xmlpwtmp [findstr [HTTP::payload] "" 1 end] unset xmlpwtmp } when ACCESS_SESSION_STARTED { Variables from HTTP REQUEST Data (XML Parsing) if {([info exists "xmluser"])} { ACCESS::session data set session.logon.last.username $xmluser; ACCESS::session data set session.logon.last.logonname $xmluser; } if {([info exists "xmlpw"])} { ACCESS::session data set session.logon.last.password $xmlpw } } when ACCESS_ACL_ALLOWED { set user [ACCESS::session data get session.logon.last.username] HTTP::header insert "login" $user HTTP::header remove "Authorization" }
ANI found the issue. There were multiple .svc (session.svc and application.svc) being called under URI /abc/ so I changed my URL to point to /abc/ instead of particular .svc.
I found as you can see in my captures with only webDev iRule I get 100 Continue messages but When I put iRule you mentioned,, I don't see 100 Continue is it because of clientless ?