Forum Discussion

umiotoko_95283's avatar
umiotoko_95283
Icon for Nimbostratus rankNimbostratus
Sep 21, 2011

X-Authenticated-User field

Probably a stooopid question, but I can't seem to find detailed documentation on this.

 

 

 

I host a SSL website that our users have to log into, through APM with a LDAP call to AD. With the iRule logic below, i pass the username to an application that uses AD groups to decide what a user can see or do.

 

 

 

when ACCESS_ACL_ALLOWED {

 

HTTP::header insert "X-Authenticated-User" [ACCESS::session data get session.logon.last.username ]

 

}

 

 

 

A sufficiently smart user could attempt to elevate themselves by using a valid login, then attempt to manually populate the X-A-U field with a higher privilege username.

 

 

 

My questions:

 

 

 

1. Does F5 APM/LTM automatically wipe the X-A-U header ? Or should my iRule do this manually ?

 

 

 

2. If the user attempted to populate this header from an external request, would I ever end up with duplicate headers (one from the user and one from F5) ?

 

 

 

Thanks !

 

 

 

1 Reply

  • Brian_Deitch_11's avatar
    Brian_Deitch_11
    Historic F5 Account
    1. I don't think so. You should do this within your irule.

    2. You will have duplicates.

    Try this:

    when ACCESS_ACL_ALLOWED {
      if { [HTTP::header exists X-Authenticated-User] {
          HTTP:header remove X-Authnticated-User
        HTTP::header insert "X-Authenticated-User"  [ACCESS::session data get session.logon.last.username ]
    }