Forum Discussion

AN_168028's avatar
AN_168028
Icon for Nimbostratus rankNimbostratus
Apr 03, 2017

iRULE to capture user credentials in SOAP-XML Payload in Clientless Mode

We have application limitation from vendor where they don't support authentication based on Multiple Domains. I am configuration iRule and APM to achieve short coming of application.

External Application-A Fat client => calls application-B using particular URI (Virtual Server on F5)

Application B URI is defined as plugins in Application A fat client.

when HTTP_REQUEST

  • HTTP::header insert "clientless-mode" 1 (iRule will put into clientless mode for /xyz URI since there are other URIs for webinterface)
  • iRule will match if http menthod id post and content-Type contains "soap+xml" -Collect HTTP content

when HTTP_REQUEST_DATA - Go through XML - Collect username "user1@domain1.com " - Collect Password "12345678"

When Access_Session_started{

Assign value collected previously to variable session.logon.last.username $username session.logon.last.password $password }

APM policy will be look like as follows:

Start => if username contains domain1 => domain1\$username => RADIUS => Allow => Deny 

  => if username contains domain2 => domain1\$username => RADIUS => Allow
                           => Deny
APM
application delivery
iRules

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 03, 2017

    Hi,

    you can use this irule as example:

    when HTTP_REQUEST {
   set apmsessionid [HTTP::cookie value MRHSession]
    if { [HTTP::cookie exists "MRHSession"] } {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}
    if {!($apmstatus)} {
         Insert Clientless-mode header to start APM in clientless mode
        if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"}
    }
     Collect Post Data to be parsed in HTTP_REQUEST_DATA
    if { [HTTP::method] eq "POST" }{
        set clength 0
        if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}{
          set clength [HTTP::header Content-Length]
        } else { set clength 1048576 }
        if { [info exists clength] && $clength > 0} { HTTP::collect $clength }
    }   
}

when HTTP_REQUEST_DATA {
    Parse XML Data
    set xmluser [findstr [HTTP::payload] "" 15 "<"]
    set xmlpwtmp  [findstr [HTTP::payload] "" 1 end]
    unset xmlpwtmp
}

when ACCESS_SESSION_STARTED {
    Variables from HTTP REQUEST Data (XML Parsing)
    if {([info exists "xmluser"])} { ACCESS::session data set session.logon.last.username $xmluser; ACCESS::session data set session.logon.last.logonname $xmluser;  }
    if {([info exists "xmlpw"])} { ACCESS::session data set session.logon.last.password $xmlpw }

}

when ACCESS_ACL_ALLOWED {
    set user [ACCESS::session data get session.logon.last.username]
    HTTP::header insert "login" $user
    HTTP::header remove "Authorization"
}
  • AN's avatar
    AN
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2017

    I found the issue. There were multiple .svc (session.svc and application.svc) being called under URI /abc/ so I changed my URL to point to /abc/ instead of particular .svc.

     

    I found as you can see in my captures with only webDev iRule I get 100 Continue messages but When I put iRule you mentioned,, I don't see 100 Continue is it because of clientless ?