For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jsipes's avatar
jsipes
Icon for Nimbostratus rankNimbostratus
Mar 15, 2016

Magento log into API by calling the Login Resource using APM version 12

Where to start is the question. What type of access policy do I create?

 

Looking to set up a secure REST API from Magento to a web server in our trusted network.

 

So basically pushing data from Magento to an internal web server securely using a REST API and using APM as a security gateway.

 

The post would look something like the following.

 

API Login

 

Magento will log into the API by calling the Login Resource. Afterwards the Session Resource must be called as well.

 

Logging In

 

Generate Token

 

API Resource

 

POST /login

 

Login must be done over HTTPS

 

Request Header

 

Authorization

 

The value conforms to the Basic authentication value: "Basic " . HASH

 

HASH: base-64 encoded USER . ":" . PASSWORD

 

USER: Username

 

PASSWORD: Password

 

Example Request

 

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

 

Example

 

Response

 

{ "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJVc2VyTmFtZSI6ImRkY1xcY3JhaW5leSIsIkV4cGlyZXMiOiJcL0RhdGUoMTQxNTQwMDkxODI3NSlcLOElZYFp5ZSkyNmIkQzVtPzog1BTUF9FKFx1MDAzZTVARkN"expirationPeriod": "01:00:00" }

 

application delivery
BIG-IP Access Policy Manager (APM)

1 Reply

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Mar 15, 2016

    Sure, you can do this no problem. Look at "Clientless Mode" posts here in DevCentral to get an idea about how it works. Normally APM does this 302 redirect to /my.policy for web clients, but you can short-circuit that for API robots by inserting (or having big-ip insert) a special HTTP header "Clientless-Mode", either in the original request or in an irule.