Forum Discussion

Tony_387372's avatar
Tony_387372
Icon for Nimbostratus rankNimbostratus
Mar 31, 2019

Disable HTTP 302 Found redirect for B2B use case

Newbie!

 

Our use case is a B2B REST API and generally no user access via a browser except for testing. We are using TLS 1.2 Mutual Authentication (MA). An HTTP 302 Found including a set of cookies is returned after a successful TLS negotiation. A browser (at least Chrome and Firefox) or Postman deal with the redirect seamlessly, returning part of the cookie in the client request. From a test user experience point of view it all works and the REST API is accessible (the redirect is not visible).

 

However, when a non-browser (lets for arguments sake say Java) based request is used, the HTTP 302 Found needs to be explictly dealt with, which creates complexity that I am hoping is unnecessary for B2B.

 

Is the redirect configurable? Can it be disabled? Possibly in an iRule or Access Policy?

 

APM
application delivery
BIG-IP
security

2 Replies

Sort By
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Apr 02, 2019

    You can use iRule to send redirect based on User-Agent in the incoming HTTP request. Related but different iRule found here. Once you develop an iRule, post it here and someone will help you fine tune it.

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 03, 2019

    Hi Tony,

    APM supports a clientless-mode to allow transparent authentication (without triggering the HTTP redirect to /my.policy). You may check out APM Operations Guide and search for "Clientless mode" to get an overview of this feature...

    BIG-IP APM Operations Guide

    https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/f5-apm-operations-guide/_jcr_content/pdfAttach/download/file.res/f5-apm-operations-guide.pdf

    Keep in mind that APMs clientless-mode still depends on a APM session cookie, to authenticate subsequent requests after authentication. In client-less mode the cookie will be issued on the very first application server response.

    If your user-agent does not support cookies, you have to develop an 

    [ACCESS::user]
    based iRule in front of APM, that uses certain certificate information as the 
    session.user.uuid
    value to locate existing APM sessions for the currently connected user and to finally inject the APM session cookie to the ongoing request.

    Wiki: ACCESS::user

    https://devcentral.f5.com/wiki/iRules.ACCESS__user.ashx

    Cheers, Kai