Forum Discussion
CirrostratusSecure a web service using APM
Hi
I'm looking to use the F5 to secure (basic auth) a web service that needs to be called from a .net application.
What is the best way to configure something like this, where the "client" isn't a browser?
The application doesn't appear to support the 302 redirects that a browser would, so do I need to create a fairly vanilla access profile (logon page - AD Auth - Allow) and then write an irule to send the inital 401 response to the initial request?
Cheers, Simon
2 Replies
Stanislas_Piro2Cumulonimbus
Hi,
Access Policy default behavior is to redirect to /my.policy even if authentication is Basic Auth in VPE.
you have to use an irule to insert clientless-mode header with value 1
try this irule with policy logon page - AD Auth - Allow
when RULE_INIT { set static::Basic_Realm_Text "Authentication Required" } when HTTP_REQUEST { if { ! [ info exists SP_PROFILE_RESTRICT_SINGLE_IP ] } { set SP_PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip] } if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $sessionid] ) } then { Allow the successfully pre authenticated request to pass return } else { if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } { set clientless(insert_mode) 1 set clientless(src_ip) [IP::remote_addr] set clientless(username) [ string tolower [HTTP::username] ] set clientless(password) [HTTP::password] if { $SP_PROFILE_RESTRICT_SINGLE_IP == 0 } { binary scan [md5 "$clientless(password)"] H* clientless(hash) } else { binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash) } set user_key "$clientless(username).$clientless(hash)" set clientless(cookie_list) [ ACCESS::user getsid $user_key ] if { [ llength $clientless(cookie_list) ] != 0 } { set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ] if { $clientless(cookie) != "" } { HTTP::cookie insert name MRHSession value $clientless(cookie) set clientless(insert_mode) 0 } } if { $clientless(insert_mode) } { HTTP::header insert "clientless-mode" 1 } } } } when ACCESS_SESSION_STARTED { if { [info exists user_key] } then { ACCESS::session data set {session.user.uuid} $user_key } if { [info exists clientless] } then { ACCESS::session data set {session.logon.last.username} $clientless(username) ACCESS::session data set -secure {session.logon.last.password} $clientless(password) } } when ACCESS_POLICY_COMPLETED { if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } { ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close ACCESS::session remove } }
Jad_Tabbara__J1Hello Simon,
Check the "HTTP 401 Response" action. It will be useful in your case and you won't need to use an irule to make the 401 response.
Your VPE will look like this "HTTP 401 Response" + "AD AUTH" + ending allow or deny
From the HTTP 401 Response you can choose which auhtentication protocol you want to in the HTTP 401 Response Header.
Hope it helps
Regards
