TLL_91858
Cirrus
CirrusAny way to read the CGI collection?
I am trying to use items from the CGI variable collection, but can't seem to find a way to read, for instance CGI.REMOTE_USER variable.
Anyone know of a way to use these in an iRule?
Forum Discussion
8 Replies
hooleylistCirrostratus
I assume remote user is the base64 encoded value in the Authorization header. If so, you can use HTTP::header value Authorization to get the header value, decode it using b64decode and then split the value on the decoded colon:
set auth_value [HTTP::header value Authorization]
set decoded_auth_value [b64decode $auth_value]
set user [getfield $decoded_auth_field 1]
set pass [getfield $decoded_auth_field 2]
or:
set user [getfield [b64decode [HTTP::header value Authorization] 1]
set pass [getfield [b64decode [HTTP::header value Authorization] 2]
Most of the other CGI variables are available using various commands:
- client IP address and port: [IP::client_addr] and [TCP::client_port]
- VIP IP and port by using [IP::local_addr] and [TCP::local_port] in a client side event
- request method: [HTTP::method
- path: [HTTP::path]
- URI: [HTTP::uri]
- query string: [HTTP::query]
- content type: [HTTP::header value Content-Type]
- content length: [HTTP::header value Content-Length]
For details on the commands, you can check the corresponding wiki pages:
http://devcentral.f5.com/wiki/Default.aspx/iRules.HomePage (Click here)
Aaron
TLL_91858Might be what I need, but when I do a HTTP::header exsits Authorization, I get a 0 back indicating it doesn't exist. Why would it not be in the collection?
Tom- hooleylistHi Tom,
Did the client send a user/pass encoded in the authorization header for the request you were testing with? If so, the data should be available.
Aaron - TLL_91858I'm guessing no. There's no Basic Auth prompt for them. The website is set up to not allow anonymous, and allow Windows intergrated, which I thought would force the credentials of the logged on user to be passed.??
Tom - hooleylistNTLM is slightly different. An authorization header is still used, but the user/pass aren't sent in every request. Take a look at this page which gives a good summary of the "protocol":
NTLM Authentication Scheme for HTTP
http://www.innovation.ch/personal/ronald/ntlm.html
If you use a browser add-on like Fiddler for IE or LiveHttpHeaders for FF, you can base64 decode the messages to see exactly what's being sent.
Aaron - TLL_91858Well, after going through that, and running some more tests, looks like I can't use that for what I wanted.
Tom - hooleylistWhat were/are you trying to do?
Aaron - TLL_91858We have a service account that is used by operators in a computer room monitoring situation (computer_operators). They need to be able to get to a web application (What's Up Gold) to monitor status of servers.
We have a requirement that all user accounts use PKI (CAC) to access web applications, but have a process to get exception for a user or 2 in certain situations.
The computer_operators account does not have a CAC, and can't be issued one.
I was going to set up to force all users be required to present PKI except for the computer_operators account.
Tom