APM Sharepoint authentication
Problem this snippet solves: Updated version to support Webdav with windows explorer after Nicolas's comment.
APM is a great authentication service but it does it only with forms.
The default be...
Published Apr 20, 2016
Version 1.0
Stanislas_Piro2
Cumulonimbus
Cumulonimbus
Kai_Wilke
MVP
MVPHi Stanislas,
tell me what you thing about this rather simple change. Its much more secure than any IP binding... 🙂
when RULE_INIT {
set static::account_failed_auth_limit 5
set static::account_failed_auth_window 300
set static::account_lockout_duration 600
}
when HTTP_REQUEST {
....
if { !([HTTP::header Authorization] == "") } {
set clientless(insert_mode) 1
set username [ string tolower [HTTP::username] ]
if { [table lookup "$username\_lock"] ne 1 } then {
set clientless(password) [HTTP::password]
binary scan [md5 "$clientless(password)"] H* clientless(hash)
set user_key "$username.$clientless(hash)"
set clientless(cookie_list) [ ACCESS::user getsid $user_key ]
if { [ llength $clientless(cookie_list) ] != 0 } {
set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
if { $clientless(cookie) != "" } {
HTTP::cookie insert name MRHSession value $clientless(cookie)
set clientless(insert_mode) 0
}
}
if { $clientless(insert_mode) } {
HTTP::header insert "clientless-mode" 1
HTTP::header insert "username" $username
HTTP::header insert "password" $clientless(password)
}
unset clientless
} else {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
unset clientless
return
}
} else {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
return
}
...
}
when ACCESS_POLICY_COMPLETED {
if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
ACCESS::respond 401 WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Set-Cookie "MRHSession=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/" Connection close
ACCESS::session remove
if { $static::account_failed_auth_limit > 0 } then {
if { [expr { [table keys -subtable "$username\_count" -count] + 1 }] >= $static::account_failed_auth_limit } {
table set -notouch "$username\_lock" 1 indef $static::account_lockout_duration
table delete -subtable "$username\_count" -all
} else {
table set -subtable "$username\_count" [clock clicks] 1 indef $static::account_failed_auth_window
}
}
}
}
Note: The provided code is recycled from one of my iRule based authentication module(s). The code is not tested in combination with your code and may contain some coding glitches...
Cheers, Kai