Forum Discussion
umiotoko_95283
Nimbostratus
NimbostratusX-Authenticated-User field
Probably a stooopid question, but I can't seem to find detailed documentation on this.
I host a SSL website that our users have to log into, through APM with a LDAP call to AD. With the iRule logic below, i pass the username to an application that uses AD groups to decide what a user can see or do.
when ACCESS_ACL_ALLOWED {
HTTP::header insert "X-Authenticated-User" [ACCESS::session data get session.logon.last.username ]
}
A sufficiently smart user could attempt to elevate themselves by using a valid login, then attempt to manually populate the X-A-U field with a higher privilege username.
My questions:
1. Does F5 APM/LTM automatically wipe the X-A-U header ? Or should my iRule do this manually ?
2. If the user attempted to populate this header from an external request, would I ever end up with duplicate headers (one from the user and one from F5) ?
Thanks !
- 1. I don't think so. You should do this within your irule.
2. You will have duplicates.
Try this:when ACCESS_ACL_ALLOWED { if { [HTTP::header exists X-Authenticated-User] { HTTP:header remove X-Authnticated-User HTTP::header insert "X-Authenticated-User" [ACCESS::session data get session.logon.last.username ] }
