Forum Discussion

mahnsc's avatar
mahnsc
Icon for Nimbostratus rankNimbostratus
Apr 06, 2012

Multi-Conditional iRule using Basic Auth and 9.4.3

I received a request recently regarding a customer of my customer who has multiple authentication and authorization requirements for web service requests. The requirements were broken down as follow...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Apr 06, 2012
mine is 10.2.3. for 9.4.3, can you try findclass [HTTP::username] users " " instead of class lookup?

findclass wiki

https://devcentral.f5.com/wiki/iRules.findclass.ashx 

[root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b class users list
class users {
   "foo" { "acbd18db4cc2f85cedef654fccc4a4d8" }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   if { [HTTP::uri] contains "/uri/" } {
      if { [HTTP::header "Content-Type"] contains "text/xml" } {
         if { ! ( [IP::addr [IP::client_addr] equals 1.1.1.0/24] ) } {
            binary scan [md5 [HTTP::password]] H* password
            if { [class lookup [HTTP::username] users] equals $password } {
               log local0. "User [HTTP::username] authorized to access /uri/"
            } else {
               if { [string length [HTTP::password]] != 0 } {
                  log local0. "User [HTTP::username] not authorized to access /uri/"
               }
               HTTP::respond 401
               log local0. "[IP::client_addr]:[TCP::client_port]: Sending 401 Response"
            }
         }
      }
   }
}
}

1
[root@ve1023:Active] config  curl -i http://172.28.19.79/uri/ -H "Content-Type: text/xml" -d "test=abc"
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm=""
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

[root@ve1023:Active] config  tail -f /var/log/ltm
Apr  5 21:23:16 local/tmm info tmm[4797]: Rule myrule : 172.28.19.80:43504: Sending 401 Response

2
[root@ve1023:Active] config  curl -i -u foo:foo http://172.28.19.79/uri/ -H "Content-Type: text/xml" -d "test=abc"
HTTP/1.1 404 Not Found
Date: Fri, 06 Apr 2012 04:24:54 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 279
Content-Type: text/html; charset=iso-8859-1

...snipped...

[root@ve1023:Active] config  tail -f /var/log/ltm
Apr  5 21:24:25 local/tmm info tmm[4797]: Rule myrule : User foo authorized to access /uri/

3
[root@ve1023:Active] config  curl -i -u foo:wrong http://172.28.19.79/uri/ -H "Content-Type: text/xml" -d "test=abc"
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm=""
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

[root@ve1023:Active] config  tail -f /var/log/ltm
Apr  5 21:24:59 local/tmm info tmm[4797]: Rule myrule : User foo not authorized to access /uri/
Apr  5 21:24:59 local/tmm info tmm[4797]: Rule myrule : 172.28.19.80:43591: Sending 401 Response