NimbostratusAPM realization possible?
Hi,
I got a request regarding an APM implementation that I need to review, but I'm not sure if and how this is possible.
Circumstances:
- Application-Server with App that currently has no Authentication (JBoss)
- Application is not personalized (no user-settings / profile / etc.)
- Application looks only different for different roles
- Server has a DB with user/pw/role
- Server could handle Auth-Requests from F5 via HTTP Basic Auth (or other method)
Requirements:
- F5 (APM) should present the login form to the user
- F5 should check if user has entered valid credentials (HTTP Basic Auth to server)
- Server answers auth request and sends back the role of the user
- F5 should include a HTTP header in every request to the application, including the user role (user itself doesn't matter for the application -> should only decide about which functions of the application should be displayed, controlled by the role)
So, since I never had such a request, I'm not 100% sure about if it is possible and how it is possible.
My idea would be an APM policy, where the user-credentials are checked by the server, and the role is expected from the server (in which form/syntax?). Then, the role is written into an encrypted cookie and sent to the user. An additional iRule then checks if the user has a cookie - if yes the role is checked, converted according to a DataGroup and the http-header is adjusted with abc...
Note: The application doesn't require the exact user information, only the role. It also has no access to the user-db for checking the role by itself. The authentication-interface from F5 to server would be apart from the application itself, only to get the users role.
Do you think something like that is achievable at all? Is it achievable with these methods or would you do it in a different way?
Thanks in advance!
