Forum Discussion
Hi
Have you tried using the HTTP 401 Response object? This can be configured to send a BASIC auth challenge back to the client.
If your client can't handle the redirect to /my.policy then you can use clientless mode to proxy the auth attempt.
- dirkenJul 29, 2019Nimbostratus
Hi Iaine, sorry, was offline a few days...
As I understand it, the built-in 401 in VPE presents the user with a mask to enter the credentials.
In my case, there is no user, it is a scheduled SOAP script. Also I have no idea what you mean by 'clientless mode' to proxy the auth attempt.
Here's what I am actually doing in my iRule
when HTTP_REQUEST...
a) check for the authorization header. If not existent, send 401. If existent, decode the base64 string (b64decode) and put it in "creds".
b) check for the credentials format (username@domain:password, domain\\username:password or username:password)
c) put domain (if existent), username and password into variables $domain, $usr, $pass
When doing a bit of 'log local0. "User $usr loggin in" etc. I see the username, password and domain are collected correctly and variables are set. Fine!
when ACCESS_POLICY_AGENT_EVENT...
a) trigger an event "get_credentials_from_auth_header" in VPE
b) ACCESS::session data set session.logon.last.username $usr (and so on for domain and password)
After this I use those credentials for AD query, AD Auth, SSO etc. in VPE - or at least, I would, if it worked.
Error: APM message: no such variable $usr => obviously the policy is running and triggering the iRule event before the variable is set during the HTTP_REQUEST. Funny enough, I get both log messages: first the "User $usr logged in..." message with the correct username from the HTTP_REQUEST routine and the next line is "no such variable $usr" from the ACCESS_POLICY_AGENT_EVENT routine.
I then changed config, deleted the iRule trigger from VPE and moved the 'ACCESS::session data set' commands as the last statement of the HTTP_REQUEST routine. No more error messages, but still session.logon.last.username (and others) are still empty, which can be seen in some logs I write via VPE.
So somehow, the order of the events is not working but I cannot find any overall documentation of the event order for LTM/APM. Under https://devcentral.f5.com/s/articles/http-event-order-access-policy-manager it states that the APM only fires directly after the HTTP_REQUEST, but unfortunately exact graphics there are blurred and the links to the full size graphics do not work anymore (after DevCentral moved).
Also thought to put in some time of wait timer, but I see no way to do this in APM other than an iRule trigger, but not sure how to do it even in an iRule.
So, summing up, I am totally lost about the correct event order in LTM/APM, when fires what, and how the hell do I put I collect correctly form an HTTP header into some APM login variable.