Hi,
this iRule permit to start authentication process only if the server respond a 401 code. but, if the user want to go back to an unauthenticated content, APM is requesting authentication until the cookie is removed.
the following modified iRule permit the user to go back to an unauthenticated page by checking the state of session. I changed the variable landinguri instead of creating the variable session.cms.starturi to remove ACCESS_POLICY_COMPLETED event.
when HTTP_REQUEST {
store the host header for the initial /start_policy redirect
set uri [HTTP::uri]
set logout_req 0
set apm_cookie [HTTP::cookie value MRHSession]
if { ( [ACCESS::session exists -state_allow $apm_cookie] ) \
or ( [HTTP::uri] starts_with "/my.policy" ) } {
initial redirect to /my.policy (starts access policy evaluation) - or a normal post-policy request
set apm_req 1
return
} elseif { ( [HTTP::uri] starts_with "/start_policy" ) } {
initial redirect to /start_policy (starts access policy evaluation)
Remove the not established previous sessions
ACCESS::session remove
ACCESS::session create -timeout 1800 -lifetime 0
ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url=" 18]
set apm_req 1
return
} else {
APM session disabled until logon process is started
ACCESS::disable
set apm_req 0
return
}
}
when ACCESS_SESSION_STARTED {
store the initial (redirect URI) until it's needed
ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url" 18]
}
when HTTP_RESPONSE {
log local0. "apm_req was $apm_req"
capture the redirect to authenticate
if { ([HTTP::status] eq "401") and ($apm_req eq 0) } {
initiate access policy processing
log local0. "apm_req was $apm_req so redirecting"
HTTP::respond 302 Location "/start_policy?url=$uri"
}
}