Forum Discussion
X-Authenticated-User field
Probably a stooopid question, but I can't seem to find detailed documentation on this.
I host a SSL website that our users have to log into, through APM with a LDAP call to AD. With the iRule logic below, i pass the username to an application that uses AD groups to decide what a user can see or do.
when ACCESS_ACL_ALLOWED {
HTTP::header insert "X-Authenticated-User" [ACCESS::session data get session.logon.last.username ]
}
A sufficiently smart user could attempt to elevate themselves by using a valid login, then attempt to manually populate the X-A-U field with a higher privilege username.
My questions:
1. Does F5 APM/LTM automatically wipe the X-A-U header ? Or should my iRule do this manually ?
2. If the user attempted to populate this header from an external request, would I ever end up with duplicate headers (one from the user and one from F5) ?
Thanks !
- Brian_Deitch_11Historic F5 Account1. I don't think so. You should do this within your irule.
when ACCESS_ACL_ALLOWED { if { [HTTP::header exists X-Authenticated-User] { HTTP:header remove X-Authnticated-User HTTP::header insert "X-Authenticated-User" [ACCESS::session data get session.logon.last.username ] }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com