Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

 

Hey there,

 

I'm hoping somebody can provide some insight to show me what I might be doing wrong with my access policy. We have a Sharepoint web portal set up which is accessed through F5, often our users will book mark specific pages in the portal in their browser so that when they open up their browser they click on the hyperlink (say www.portal.com/subsite/page.aspx). Usually this works fine, they see the APM login page and are redirected when they authenticate.

The problem however is after they logout. If they logout and then click on the same favourite they are shown an error page which reads:

 

"Access policy evaluation is already in progress for your current session.

You may see this message, if you are using a different browser tab than the one where you started the access policy initially. Please continue to finish your access policy in the previous browser tab, and close this current window immediately.

If you have reached to this message due to some other error, click here for creating a new session."

 

There are other scenarios in which this can be caused. Simply load the login page and refresh the page, or go to the login page (www.portal.com/my.policy) and then try to navigate to one of the bookmarks (www.portal.com/subsite/page.aspx).

 

I am wondering if there is a way to detect when these error pages are shown via an iRule so that I may simply redirect the user to the login page? I've gone through all of the events that iRule provides and I don't think any of these are suitable (the HTTP_REQUEST and HTTP_RESPONSE don't seem to fire if the user is requesting any of the APM pages).

If it helps the only thing tha the ltm seems to log when these error pages are shown is that an SSL Handshake has failed.

 

Any help or a point in the right direction would be wonderful! Thanks!

 

Adem


5 Answer(s):

Bump.

 

I'm still yet to resolve this issue, any kind of insight would be helpful!

The HTTP_REQUEST and RESPONSE events do actually fire, but APM purposely hides them. To re-enable access to these events, set ACCESS::restrict_irule_events to a value of "disable" in the CLIENT_ACCEPTED event.

From the wiki at: https://devcentral.f5.com/wiki/iRules.ACCESS__restrict_irule_events.ashx


when CLIENT_ACCEPTED { 
     ACCESS::restrict_irule_events disable 
}
when HTTP_REQUEST { 
     if { [HTTP::uri] ends_with "/my.logout.php3?errorcode=19" } { 
          HTTP::redirect "/" 
     } 
}
Thanks so much for that! This gives me a good starting point..

However in the situation that the user is on the logon page and then attempts to navigate to one of their bookmarks (www.portal.com/subsite/page.aspx) without yet being authenticated.
I've tried events to monitor a 404, access denied and so forth but no such luck. Unfortunately I can't check the URL because the URL is simply that of the users bookmark.

Any ideas?
If you disable the event hiding you should definitely be able to see the user's request, and I would assume that if the user attempts to access a resource (as seen with [HTTP::uri]) without first authenticating (as seen by [ACCESS::session data get ]), you could do something with that request. Considering that the user has simply logged off and hasn't left the page, I'm wondering if the session cookies still resident in the browser are causing a problem. Please add this logging iRule to your virtual server and observe/report the findings:


when HTTP_REQUEST {
     log local0. "URI = [HTTP::uri]"
     foreach x [HTTP::header names] {
          log local0. "header($x) = [HTTP::header $x]"
     }
     log local0. "SID = [ACCESS::session sid]"
}

Perfect! After adding your log code I was then able to see that it was sending me to "/renderer/access_notfound.php3" I added a check for that into my HTTP_REQUEST event and can then redirect it back to the login page!

Thank you so much for your help! :)

Your answer:

You must be logged in to reply. You can login here.