Forum Discussion

Nimbostratus

Apr 28, 2010

Problem authenticating if password contains a @

I'm using the iControl SDK to create a Java application that automates configuring BIG-IP.

If my admin password for BIG-IP does not contain a @, authentication to the BIG-IP host via my Java application works fine. However, if my admin password for BIG-IP contains a @ in it, I get an authentication error because it thinks everything after the @ in the password is part of the hostname since it uses the following url to connect to BIG-IP.

https://user:password@hostname:443/iControl/iControlPortal.cgi

So, if my user is admin and my password is pass@word and my hostname is bigip.company.com, the url used is:

https://admin:pass@word@bigip.company.com:443/iControl/iControlPortal.cgi

So, it incorrectly thinks the password is pass and the hostname is word@bigip.company.com (everythin after the first @ within the password)

So, I encoded the @ in the password as %40 (e.g. pass%40word) to make it url safe since a @ is a reserved character and must be encoded according to url rules. However, authentication is still failing.

This problem appears to be like the one reported at http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/51/afv/topic/aft/30461/aff/1/showtab/groupforums/Default.aspx34413 that was never answered.

When the admin password is pass@word and I specify the encoded version of the password (e.g. pass%40word), I get the following error:

C:\F5\iControl-10.1.0\sdk\samples\soap\java\apache\axis\LocalLB>java -cp .;%JAVA_CLASSPATH% F5ProxySetup 9.99.999.999 443 admin pass%40word

AxisFault

faultCode: {http://xml.apache.org/axis/}HTTP

faultSubcode:

faultString: (401)F5 Authorization Required

faultActor:

faultNode:

faultDetail:

{}:return code: 401

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

lang="en">

Authentication required!

This server could not verify that you are authorized to access

the URL "/iControl/iControlPortal.cgi".

You either supplied the wrong credentials (e.g., bad password), or your

browser doesn't understand how to supply the credentials required.

In case you are allowed to request the document, please

check your user-id and password and try again.

Error 401

~~Wed Apr 28 14:09:13 2010~~

{http://xml.apache.org/axis/}HttpErrorCode:401

(401)F5 Authorization Required

at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)

at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)

at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)

at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)

at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)

at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)

at org.apache.axis.client.Call.invokeEngine(Call.java:2784)

at org.apache.axis.client.Call.invoke(Call.java:2767)

at org.apache.axis.client.Call.invoke(Call.java:2443)

at org.apache.axis.client.Call.invoke(Call.java:2366)

at org.apache.axis.client.Call.invoke(Call.java:1812)

at iControl.LocalLBSNATBindingStub.get_list(LocalLBSNATBindingStub.java:717)

at F5ProxySetup.createSnat(F5ProxySetup.java:70)

at F5ProxySetup.main(F5ProxySetup.java:907)

dev

devops

iControl

Hamish
Cirrocumulus
Apr 29, 2010
I'm not sure if this one would ever be fixed... Mainly because the syntax for including the username and password in the URL isn't actually part of the standard. It's an extension that (IIRC) Netscape started way back when.

Possibly it would be better to cover yourself, and if there is a reserved character in the pasword (Does / and : do the same thing?) use the basic auth callback instead.

(Ahh... Actually, I'm thinking perl when I say basic auth callback. Presumably the java API has something similar)

H
Sharon_Lucas_55
Nimbostratus
Apr 29, 2010
Yes, other reserved characters in the password cause the same problem.

Do you have any examples for how to "use the basic auth callback" in Java? Or can you point me to any documentation on this?
Hamish
Cirrocumulus
Apr 30, 2010
Sorry, no... I don't. I use perl for almost all of my iControl work (Where I don't use perl, I use C).

Try searching around in the iControl codeshare section, there should be examples in there (Or do the Java examples there use the URL notation?). Failing that, manually add the authentication headers into the HTTP request.

H
Hamish
Cirrocumulus
Apr 30, 2010
I also had a thought... What happens if you escape the @ with a backslash? e.g. pass\@word?

H
Sharon_Lucas_55
Nimbostratus
May 10, 2010
Escaping the @ with a backslash results in the same error.
Luke_Lehman
Employee
Jun 15, 2010
Posted By Hamish on 04/30/2010 01:13 AM

Sorry, no... I don't. I use perl for almost all of my iControl work (Where I don't use perl, I use C).

Try searching around in the iControl codeshare section, there should be examples in there (Or do the Java examples there use the URL notation?). Failing that, manually add the authentication headers into the HTTP request.

H Hamish - How would you go about manually adding the auth headers into the HTTP request?

Thanks,

-Luke
hoolio
Cirrostratus
Jun 15, 2010
For whichever language you're using you should be able to insert an HTTP header in the request. The format should be:

Authorization: Basic abcd

where abcd is a base64 encoding of the username:password. Here's a wikipedia example for a user of Aladdin and a pass of open sesame:

http://en.wikipedia.org/wiki/Basic_access_authentication

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Aaron
Joe_Pruitt
Jun 15, 2010
Have you tried the iControl library for Java? I've got a version that will work with JRE 1.5 and 1.6 and uses the lower level binding classes to set the username/password for the connections. There are binary and source can be found in the iControl Assembly for .Net and Java labs project.

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/2/afv/topic/aft/1172123/aff/2106/showtab/groupforums/Default.aspx

Look in the source\iControl\Interfaces.java class for details on how to use the lower level classes for the authentication headers.

In the "test" directory in the source distribution there are some sample applications that use the Interfaces iControl wrapper class.

Let me know if this works for you.

-Joe
Luke_Lehman
Employee
Jun 15, 2010
Aaron,

Thanks for the quick response. I'm using C creating a Windows Form app. I have a button that I'm trying to have open a "Network Map" view of a Pool.

Here is what I had originally:
web_ltmview.Url = new Uri("https://" + txt_username.Text + ":" + txt_password.Text + "@" + ltmDerived + ".prci.com/");

Working from a non-F5 related internet article, I tried this (but I'm sure I've got something incorrect in here, because it still doesn't work):
string hdr = "Authorization: Basic" + Convert.ToBase64String(Encoding.ASCII.GetBytes(txt_username.Text + ":" + txt_password.Text)) + System.Environment.NewLine; web_ltmview.Navigate("https://" + ltmDerived + ".prci.com/", null, null, hdr);

Thanks in advance...

-Luke
Joe_Pruitt
Jun 15, 2010
Luke, are your authenticated calls iControl method requests? If so, you should use the iControl Assembly instead of hard coding them yourself. If you just want to create an authenticated request to a web page, then your route would likely work.

-Joe