Clientless mode failing to interact with AD
Scenario: I have a webserice that is being called by some clients. When they hit a webservice, they should enter in a username / password combo for basic authentication. Those credentials should be taken by the APM, and processed in active directory. Here is an image of the flow: Per this conversation, I am creating this IRule to promt for username/password credentials and allow the APM to perform work. when HTTP_REQUEST { set apmsessionid [HTTP::cookie value MRHSession] if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0} if {!($apmstatus)} { Insert Clientless-mode header to start APM in clientless mode if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"} } } when ACCESS_POLICY_COMPLETED { Authentication request for non bowser user-agent session denied if { ([ACCESS::policy result] equals "deny") } { ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"My Web Services Authentication\"" Connection close ACCESS::session remove return } } However, following that post and using that code, always leads me to the Deny portion. If I use the original solution here, I am able to authenticate successfully. Am I missing something to add?
Secure a web service using APM
Hi I'm looking to use the F5 to secure (basic auth) a web service that needs to be called from a .net application. What is the best way to configure something like this, where the "client" isn't a browser? The application doesn't appear to support the 302 redirects that a browser would, so do I need to create a fairly vanilla access profile (logon page - AD Auth - Allow) and then write an irule to send the inital 401 response to the initial request? Cheers, Simon
xml signatures
I am trying to create a simple policy for web services/xml which would scan the incoming traffic against generic and xml related violations (without format or schema checks). After creating + assigning a Rapid Deployment Policy and assigning Generic + XML signatures to it will ASM check for the XML related violations? (when the XML-policy/web-services part is not configured) Do I understand correctly that everything going towards application will be wildcard matched against selected signature sets (including the XML stuff which should require manual policy configuration) or do the XML signatures only apply after the manual XML policy configuration?
