Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

REST iControl account password issue if special characters used

Daniel_H
Nimbostratus
Nimbostratus

I followed the guidelines indicated by Jason in:

 

https://devcentral.f5.com/s/articles/demystifying-icontrol-rest-part-6-token-based-authentication

 

and have REST basic authentication and token based calls working okay with one exception (I wrote the script in Perl - I know, I'm in the minority here) - if the account password being used has certain special characters (like '}') which are part of the JSON syntax, the authentication fails. For example:

 

{

"username": "test_user",

"password": "abcd1234}",

"loginProviderName": "tmos"

}

 

fails, but if the password was just 'abcd1234', it works. Is there a way of encoding the password (e.g. base64 like basic authentication header expects) so this doesn't fail?

 

2 REPLIES 2

I dont think thats necessary. The curly braces as string objects need not be escaped. Refer - https://tools.ietf.org/html/rfc7159#section-7

 

And through rest I tried to reset my password - "password}" and it worked too.

curl -sk -u testaccount -H "Content-Type: application/json" -X PATCH https://hostname/mgmt/tm/auth/user/testaccount -d '{ "password": "password}" }'

Can you share the error you are seeing.

Daniel_H
Nimbostratus
Nimbostratus

​Sorry, false alarm, it turned out that it wasn't a password special character issue at all.  I was updating my script to include REST logons (in addition to the SOAP logons that are already present in the script) and that broke because the account I was using has a dynamically changing token which caused the REST logon to fail since the token can't be reused (at least in any reasonable amount of time).  Note that I'm not referring to the token that a REST logon returns after a successful logon (and can be reused for whatever the timeout period is  - 8 hours I believe).

 

This does bring up another question, however.  We have many independent clusters of F5s which all are set to authenticate against the same TACACS+ servers.  As mentioned above, all accounts use dynamically changing tokens.  There are many cases where I use the script to logon to multiple F5 clusters to perform various activities and it would be really nice if there was some way to authenticate against one cluster and then use the returned REST token (or some other mechanism) to logon to other F5 clusters so that I wouldn't have to enter a new token to each F5 cluster.  Is there any way of doing that?