Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Nov 13, 2019
Solved

How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly

How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly. I could probably setup the advanced resource assignment item and create a bunch of branch...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Nov 15, 2019

    So URI condition matches... 

    /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)

    and in TCL with && operator, second condition is evaluated only if first is successful 

    /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"

    but this variable does not exists:

    /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHED

    look in session variables the name of the expected variable... you may find a variable with "last" to replace the box name like:

    session.oauth.client.last.id_token.group
sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus

I have tried this solution, the logs show the advanced resource assign trying to match these rules as well, but none of the rules are matched and ends up going to the fall back branch. I have made sure I am meeting all the requirements of URI condition and the group OID comming in. The logs show the OID for the mentioned group come in for the users request as well.

 

Is the HTTP::URI supported to be used in an expression ? I am using this

 

expr {[mcget {HTTP::URI}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}

 

It looks like its not able to look for the URI at all.

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Nov 14, 2019

Sorry,

 

I saw the wildcard issue but not the HTTP::uri... ;)

 

HTTP::uri is per request (only in irules) ... if you want the initial uri matching, you have to use : session.server.landinguri

 

the code above is changed to match this.

 

if the goal is to restrict URI after authentication, you must create ACL with /SOANDSO1/* in path, then assign this ACL in Advanced ressource assign object.