For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bill_Brazill's avatar
Bill_Brazill
Icon for Employee rankEmployee
Jul 11, 2016

Trying to set a variable on content of SOAP envelope

While trying to help our DevOps team, I previously used another iRule I found on DevCentral as a template to do some throttling on http requests. With a few modifications, I got it working, and it works great. Props to Kirk Bauer for his code share on https://devcentral.f5.com/codeshare/http-request-throttle Nice work

 

Of course they now want me to perform the same function but instead of throttling on the client's IP address, they now want me to throttle off a username instead of IP. The catch for me is the username is contained in a SOAP envelope. I am a network guy so XML/SOAP is not my forte, I actually don't even know if this is possible, and if if this type of inspection will really crush my cpu/memory, as our prod version is a heavily used application.

 

I did a tcpdump on a test connection to find exactly where the username is located. Looking in wireshark the test_user is contained under

 

XML> soapenv:Envelope> soapenv:Header> wsse:Security> wsse:UsernameToken> wsse:Username> test_user

 

Any idea if, or how this could be done? I looked over any DevCentral or support posts related to this but I am not able to figure out what to do. Would a XML profile be any benefit?

 

Thanks in advance, Bill

 

devops
iRules
LTM

2 Replies

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Jul 12, 2016

    in theory, you can use the 

    HTTP::collect
    command to inspect HTTP payload as it streams by, but for a heavily used application, this will certainly impact performance, and to some extent latency.

    might it not be better if you instead enforce by some HTTP Header, such as perhaps, the Session Cookie? If the application developers restrict each username to a single session (consult with them), then this is effectively the same as throttling by username. There are built-in commands for interacting with HTTP cookies and other Headers.

  • Bill_Brazill's avatar
    Bill_Brazill
    Icon for Employee rankEmployee
    Jul 12, 2016

    Thank you very much for the feedback. This application is hit pretty heavy so I was afraid what they wanted would be very impactful to performance. I need to talk to my app developers to see if they would consider only allowing one session per username. If so, and if not just for my curiosity, how would this be done? I am not sure of the built in commands your speaking of that would work for interacting with cookies or other headers. Thanks again.