Forum Discussion
Sharon_Lucas_55
Nimbostratus
NimbostratusProblem authenticating if password contains a @
I'm using the iControl SDK to create a Java application that automates configuring BIG-IP.Wed Apr 28 14:09:13 2010
If my admin password for BIG-IP does not contain a @, authentication to the BIG-IP host via my Java application works fine. However, if my admin password for BIG-IP contains a @ in it, I get an authentication error because it thinks everything after the @ in the password is part of the hostname since it uses the following url to connect to BIG-IP.
https://user:password@hostname:443/iControl/iControlPortal.cgi
So, if my user is admin and my password is pass@word and my hostname is bigip.company.com, the url used is:
https://admin:pass@word@bigip.company.com:443/iControl/iControlPortal.cgi
So, it incorrectly thinks the password is pass and the hostname is word@bigip.company.com (everythin after the first @ within the password)
So, I encoded the @ in the password as %40 (e.g. pass%40word) to make it url safe since a @ is a reserved character and must be encoded according to url rules. However, authentication is still failing.
This problem appears to be like the one reported at http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/51/afv/topic/aft/30461/aff/1/showtab/groupforums/Default.aspx34413 that was never answered.
When the admin password is pass@word and I specify the encoded version of the password (e.g. pass%40word), I get the following error:
C:\F5\iControl-10.1.0\sdk\samples\soap\java\apache\axis\LocalLB>java -cp .;%JAVA_CLASSPATH% F5ProxySetup 9.99.999.999 443 admin pass%40word
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (401)F5 Authorization Required
faultActor:
faultNode:
faultDetail:
{}:return code: 401
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
lang="en">
Authentication required!
Authentication required!
This server could not verify that you are authorized to access
the URL "/iControl/iControlPortal.cgi".
You either supplied the wrong credentials (e.g., bad password), or your
browser doesn't understand how to supply the credentials required.
In case you are allowed to request the document, please
check your user-id and password and try again.
Error 401
{http://xml.apache.org/axis/}HttpErrorCode:401
(401)F5 Authorization Required
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at iControl.LocalLBSNATBindingStub.get_list(LocalLBSNATBindingStub.java:717)
at F5ProxySetup.createSnat(F5ProxySetup.java:70)
at F5ProxySetup.main(F5ProxySetup.java:907)
30 Replies
HamishCirrocumulus
I'm not sure if this one would ever be fixed... Mainly because the syntax for including the username and password in the URL isn't actually part of the standard. It's an extension that (IIRC) Netscape started way back when.
Possibly it would be better to cover yourself, and if there is a reserved character in the pasword (Does / and : do the same thing?) use the basic auth callback instead.
(Ahh... Actually, I'm thinking perl when I say basic auth callback. Presumably the java API has something similar)
H
Sharon_Lucas_55Yes, other reserved characters in the password cause the same problem.
Do you have any examples for how to "use the basic auth callback" in Java? Or can you point me to any documentation on this?- HamishSorry, no... I don't. I use perl for almost all of my iControl work (Where I don't use perl, I use C).
Try searching around in the iControl codeshare section, there should be examples in there (Or do the Java examples there use the URL notation?). Failing that, manually add the authentication headers into the HTTP request.
H - HamishI also had a thought... What happens if you escape the @ with a backslash? e.g. pass\@word?
H - Sharon_Lucas_55Escaping the @ with a backslash results in the same error.
- Luke_Lehman
Employee
Posted By Hamish on 04/30/2010 01:13 AM
Sorry, no... I don't. I use perl for almost all of my iControl work (Where I don't use perl, I use C).
Try searching around in the iControl codeshare section, there should be examples in there (Or do the Java examples there use the URL notation?). Failing that, manually add the authentication headers into the HTTP request.
H Hamish - How would you go about manually adding the auth headers into the HTTP request?
Thanks,
-Luke 
hoolioCirrostratus
For whichever language you're using you should be able to insert an HTTP header in the request. The format should be:
Authorization: Basic abcd
where abcd is a base64 encoding of the username:password. Here's a wikipedia example for a user of Aladdin and a pass of open sesame:
http://en.wikipedia.org/wiki/Basic_access_authentication
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Aaron- Have you tried the iControl library for Java? I've got a version that will work with JRE 1.5 and 1.6 and uses the lower level binding classes to set the username/password for the connections. There are binary and source can be found in the iControl Assembly for .Net and Java labs project.
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/2/afv/topic/aft/1172123/aff/2106/showtab/groupforums/Default.aspx
Look in the source\iControl\Interfaces.java class for details on how to use the lower level classes for the authentication headers.
In the "test" directory in the source distribution there are some sample applications that use the Interfaces iControl wrapper class.
Let me know if this works for you.
-Joe - Luke_LehmanAaron,
Thanks for the quick response. I'm using C creating a Windows Form app. I have a button that I'm trying to have open a "Network Map" view of a Pool.
Here is what I had originally:web_ltmview.Url = new Uri("https://" + txt_username.Text + ":" + txt_password.Text + "@" + ltmDerived + ".prci.com/");
Working from a non-F5 related internet article, I tried this (but I'm sure I've got something incorrect in here, because it still doesn't work):string hdr = "Authorization: Basic" + Convert.ToBase64String(Encoding.ASCII.GetBytes(txt_username.Text + ":" + txt_password.Text)) + System.Environment.NewLine; web_ltmview.Navigate("https://" + ltmDerived + ".prci.com/", null, null, hdr);
Thanks in advance...
-Luke - Luke, are your authenticated calls iControl method requests? If so, you should use the iControl Assembly instead of hard coding them yourself. If you just want to create an authenticated request to a web page, then your route would likely work.
-Joe
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}