APM Sharepoint authentication

Problem this snippet solves: Updated version to support Webdav with windows explorer after Nicolas's comment. APM is a great authentication service but it does it only with forms. The default be...
Published Apr 20, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
editing office documents
iRules
ms-ofba
programmability contest
security
sharepoint
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 14, 2016

Hi Stanislas,

 

tell me what you thing about this rather simple change. Its much more secure than any IP binding... 🙂

 

when RULE_INIT {
    set static::account_failed_auth_limit 5
    set static::account_failed_auth_window 300
    set static::account_lockout_duration 600    
}
when HTTP_REQUEST {

....

  if { !([HTTP::header Authorization] == "") } {
     set clientless(insert_mode) 1
     set username    [ string tolower [HTTP::username] ]
     if { [table lookup "$username\_lock"] ne 1 } then {
        set clientless(password)    [HTTP::password]
        binary scan [md5 "$clientless(password)"] H* clientless(hash)
        set user_key "$username.$clientless(hash)"
        set clientless(cookie_list)             [ ACCESS::user getsid $user_key ]
        if { [ llength $clientless(cookie_list) ] != 0 } {
           set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
           if { $clientless(cookie) != "" } {
              HTTP::cookie insert name MRHSession value $clientless(cookie)
              set clientless(insert_mode) 0
           }
        }
        if { $clientless(insert_mode) } {
           HTTP::header insert "clientless-mode" 1
           HTTP::header insert "username" $username
           HTTP::header insert "password" $clientless(password)
        }
        unset clientless
     } else {
        HTTP::respond 401 WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
        unset clientless
        return
     }
  } else {
    HTTP::respond 401 WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
    return
  }

...

}
when ACCESS_POLICY_COMPLETED {
   if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
      ACCESS::respond 401 WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
      ACCESS::session remove
      if { $static::account_failed_auth_limit > 0 } then {
         if { [expr { [table keys -subtable "$username\_count" -count] + 1 }] >= $static::account_failed_auth_limit } {
            table set -notouch "$username\_lock" 1 indef $static::account_lockout_duration
            table delete -subtable "$username\_count" -all
         } else {
            table set -subtable "$username\_count" [clock clicks] 1 indef $static::account_failed_auth_window
         }

      }

   } 
}

Note: The provided code is recycled from one of my iRule based authentication module(s). The code is not tested in combination with your code and may contain some coding glitches...

 

Cheers, Kai