Forum Discussion

JP_135500's avatar
JP_135500
Icon for Nimbostratus rankNimbostratus
Jan 31, 2014

Only enable access policy when server response is 401?

We have a site that is a mix of anonymous and authenticated content. The authenticated content lives all over within the site and is maintained by hundreds of content editors, so there's really no pa...
anonymous
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
management
security
  • John_Alam_45640's avatar
    John_Alam_45640
    Jan 31, 2014

    TO add to Josh's suggestion.

     

    If you see the 401 from the server in HTTP_RESPONSE, add some cookie or other marker and redirect client back to the VIP. If the cookie or other marker is seen, then do ACCESS::enable.

     

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jul 16, 2014

Hi,

 

this iRule permit to start authentication process only if the server respond a 401 code. but, if the user want to go back to an unauthenticated content, APM is requesting authentication until the cookie is removed.

 

the following modified iRule permit the user to go back to an unauthenticated page by checking the state of session. I changed the variable landinguri instead of creating the variable session.cms.starturi to remove ACCESS_POLICY_COMPLETED event.

 

when HTTP_REQUEST {
     store the host header for the initial /start_policy redirect
    set uri [HTTP::uri]
    set logout_req 0
    set apm_cookie [HTTP::cookie value MRHSession]
    if { ( [ACCESS::session exists -state_allow $apm_cookie] ) \
             or ( [HTTP::uri] starts_with "/my.policy" ) } {
         initial redirect to /my.policy (starts access policy evaluation) - or a normal post-policy request
        set apm_req 1
        return
    } elseif { ( [HTTP::uri] starts_with "/start_policy" ) } {
         initial redirect to /start_policy (starts access policy evaluation)
         Remove the not established previous sessions
        ACCESS::session remove
        ACCESS::session create -timeout 1800 -lifetime 0
        ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url=" 18]
        set apm_req 1
        return
    } else {
         APM session disabled until logon process is started
        ACCESS::disable
        set apm_req 0
        return
    }
}
when ACCESS_SESSION_STARTED {
     store the initial (redirect URI) until it's needed
    ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url" 18]
}

when HTTP_RESPONSE { 
    log local0. "apm_req was $apm_req"  
     capture the redirect to authenticate
    if {  ([HTTP::status] eq "401") and ($apm_req eq 0) } {
         initiate access policy processing
        log local0. "apm_req was $apm_req so redirecting"
         HTTP::respond 302 Location "/start_policy?url=$uri"
    }
}