Forum Discussion
NimbostratusProblem authenticating if password contains a @
If my admin password for BIG-IP does not contain a @, authentication to the BIG-IP host via my Java application works fine. However, if my admin password for BIG-IP contains a @ in it, I get an authentication error because it thinks everything after the @ in the password is part of the hostname since it uses the following url to connect to BIG-IP.
https://user:password@hostname:443/iControl/iControlPortal.cgi
So, if my user is admin and my password is pass@word and my hostname is bigip.company.com, the url used is:
https://admin:pass@word@bigip.company.com:443/iControl/iControlPortal.cgi
So, it incorrectly thinks the password is pass and the hostname is word@bigip.company.com (everythin after the first @ within the password)
So, I encoded the @ in the password as %40 (e.g. pass%40word) to make it url safe since a @ is a reserved character and must be encoded according to url rules. However, authentication is still failing.
This problem appears to be like the one reported at http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/51/afv/topic/aft/30461/aff/1/showtab/groupforums/Default.aspx34413 that was never answered.
When the admin password is pass@word and I specify the encoded version of the password (e.g. pass%40word), I get the following error:
C:\F5\iControl-10.1.0\sdk\samples\soap\java\apache\axis\LocalLB>java -cp .;%JAVA_CLASSPATH% F5ProxySetup 9.99.999.999 443 admin pass%40word
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (401)F5 Authorization Required
faultActor:
faultNode:
faultDetail:
{}:return code: 401
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
lang="en">
Authentication required!
Authentication required!
This server could not verify that you are authorized to access
the URL "/iControl/iControlPortal.cgi".
You either supplied the wrong credentials (e.g., bad password), or your
browser doesn't understand how to supply the credentials required.
In case you are allowed to request the document, please
check your user-id and password and try again.
Error 401
{http://xml.apache.org/axis/}HttpErrorCode:401
(401)F5 Authorization Required
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at iControl.LocalLBSNATBindingStub.get_list(LocalLBSNATBindingStub.java:717)
at F5ProxySetup.createSnat(F5ProxySetup.java:70)
at F5ProxySetup.main(F5ProxySetup.java:907)
30 Replies
- The setPassword() method does not take an encoded password, it uses the clear text version and then builds the Authentication header by base64 encoding the username:password values. By you passing in a base64 encoded string, it's essentially base64 encoding your URL encoded value. I would recommend removing all username and password from the "https://bigip/iConrol/iControlPortal.cgi" URI and using the setUsername() and setPassword() methods with the clear text values
m_systemInfo.setUsername(username); m_systemInfo.setPassword("XXXXXXX@XXXX"); m_systemInfo.get_system_information()
Since the username and password are not in the URI anymore, there is no reason to URL encode it.
For more examples, download the iControl Library for Java from the iControl Assembly labs project. There are a few sample test applications in there that illustrate how to use the library with authentication. Let me know if you have trouble finding it, and I can post an example here to this thread.
Hope this helps...
-Joe 
Sharon_Lucas_55Thanks Joe. Once I no longer encoded the password it worked fine. I have removed the username and password from the URI and now use the setUsername() and setPassword() methods on all the bindings as per your recommendation.- Excellent, glad I could help!
-Joe - Luke_Lehman
Employee
Joe,
I'm just coming back around to this after a bit of a hiatus. We are looking to upgrade to v10 and the auth issue is a bit of a bump in the road.
The application is kind of a one stop shop. Basically, put in an IP or Servername and it queries all LTMs and GTMs for membership. That being said, the web_ltmview may be updated for a different LTM upon each server lookup. I don't think I've instantiated the web_ltmview object at all (but maybe I have...sorry).private void btn_nodeView_Click(object sender, EventArgs e) // EVENT - Opens GUI with Node Page on IP Address { if (txt_serverIp.Text != "") { if (authenticated == true) { if (ltmDerived != "") { getDeviceVersion(ltmDerived); if (swVersion.Contains("v9")) { // v9 Syntax // Example for Node 10.10.10.10 - https://LTMname/tmui/Control/jspmap/tmui/locallb/node/properties.jsp?addr=10.10.10.10 web_ltmview.Url = new Uri( "https://" + txt_username.Text + ":" + System.Web.HttpUtility.UrlEncode(txt_password.Text) + "@" + ltmDerived + ".company.com/" + "tmui/Control/jspmap/tmui/locallb/node/properties.jsp?addr=" + txt_serverIp.Text ); } else { // v10 Syntax // Example for Node 10.10.10.10 = https://LTMname/tmui/Control/jspmap/tmui/locallb/node/properties.jsp?addr=10.10.10.10 web_ltmview.Url = new Uri( "https://" + txt_username.Text + ":" + System.Web.HttpUtility.UrlEncode(txt_password.Text) + "@" + ltmDerived + ".company.com/" + "tmui/Control/jspmap/tmui/locallb/node/properties.jsp?addr=" + txt_serverIp.Text ); } } else { MessageBox.Show("Node not defined to LTM. \r\n" + "\r\n" + "Can't Open Network Map for Undefined Node.", "F5 Service.Hub - General Error", MessageBoxButtons.OK, MessageBoxIcon.Stop); } } else { MessageBox.Show("Perform 'Server Lookup' First.", "F5 Service.Hub - Network Map Error", MessageBoxButtons.OK, MessageBoxIcon.Stop); } } else { MessageBox.Show("No Server Name and / or IP Specified!", "F5 Service.Hub - No Server Name Entered", MessageBoxButtons.OK, MessageBoxIcon.Asterisk); } }
The v9 code works, but the v10 does not.
Thanks again - Luke - Are you using the iControl library for Java? Is so, why not use the builtin setUsername, setPassword methods? Munging the username/password in the URL's is not very secure and something that has been purged out of browsers and connection libraries over the last few years. Since you didn't include the rest of your code, I'm not sure how you are actually making the iControl calls. Regardless, I recommend using the builtin methods in the various toolkits out there for packing up the client credentials.
-Joe - Luke_LehmanPosted By Joe on 07/13/2010 08:34 AM
Ahhh, now I see why you aren't using the iControl libraries, because you are trying to do a grab of the admin GUI. If so, then my approach should work with the Authentication header.
-Joe
Hey Joe,
Sorry for the delayed response here. I know it's been a while between my posts, so I've quoted something you posted previously.
I'm not opposed to trying something different, but I'll warn you, I'm no developer, so I'm not even really sure what you're saying when you mention using the java libraries...
Sorry,
Luke - Luke_LehmanGoing to try and resurrect this thread. It's been probably a year since I've touched the code at all, so I'm a bit rusty.
The brief overview, is that I'm trying to display the Admin GUI within the Windows C application, so when the user searches for a node, it displays a list within the app, then they can click on "Map Node" and it will bring up the GUI with the network map, using the node's IP address.
I was able to complete this in v9 using this syntax:
web_ltmview.Url = new Uri(
"https://" +
txt_username.Text +
":" +
System.Web.HttpUtility.UrlEncode(txt_password.Text) +
"@" +
ltmDerived +
".domain.com/" +
"tmui/Control/form?_form_holder_opener_=&handler" +
"=%2Ftmui%2Flocallb%2Fnetwork_map&handler_before=%2Ftmui%2Flocallb%2Fnetwork_map&showObjList=&showObjList_befor" +
"e=&hideObjList=&hideObjList_before=&enableObjList=partition_control&enableObjList_before=&disableObjList=&disa" +
"bleObjList_before=&form_page=%2Ftmui%2Flocallb%2Fnetwork_map.jsp&form_page_before=%2Ftmui%2Flocallb%2Fnetwork_" +
"map.jsp&error_page=%2Ftmui%2Flocallb%2Fnetwork_map.jsp&error_page_before=%2Ftmui%2Flocallb%2Fnetwork_map.jsp&s" +
"how_map=1&show_map_before=0&status_select_before=null&status_select=0&object_type_select_before=null&object_ty" +
"pe_select=&SearchString=" +
txt_serverIp.Text +
"&SearchString_before=*&irule_body_before=unchecked&Show+Summary_before=Show+Summary&Show+Map=Update+Map&Show+M" +
"ap_before=Update+Map"
);
I am unable to use that syntax in v10.
Any suggestions are much appreciated!
- The GUI is not guaranteed to maintain URLs across versions and this looks like a case where the URLs did change for features. v9 to v10 was a big jump and alot of the GUI changed as well. This will likely take some experimenting...
- Luke_LehmanI am all in for experimentation.
I guess my hope for user experience from within the app I created is that they won't have to "log in" twice. They've already provided their credentials once, and I'm hoping that they won't have to provide them again for viewing the webcontrol.
I can certainly modify the URLs based on software version. I've actually kind of planned for this by doing a version check of the LTM and then pointing to the correct URL for each version. Probably the only good thing I've done with the code thus far...
Thanks in advance! - Luke_Lehman
Joe / All,
I think this is more of a change in the way the GUI authenticates. I understand that it has been updated from Basic Auth to Forms Auth, but where I'm getting tripped up is how exactly to POST the proper data to authenticate successfully.
I've referenced this - but still can't quite get it to work : http://devcentral.f5.com/wiki/iRules.ClientAuthUsingHTMLForms.ashx
From what I understand this is the flow of the login (w/ Forms)
1a. Page request for protected resource
1b. Server (LTM) responds with a 302 of the login page (/tmui/login.jsp)
2a. User POSTs data from the Auth Form to the server
2b. Server (LTM) responds with a 302 with the original page location and a set-cookie
3. Client requests original URL with cookie in header
Am I going down the right path?
