f5 Access Policy Manager AJAX vs Non-Ajax Request Handling with Authentication
I'm implementing a Single Page Application (Javascript/AJAX Based) leveraging the f5 as the Identity Provider and Service Provider for Single-Sign-On. The Web app sits behind the f5 in Apache, and the web services also sit behind the f5 using simple REST based HTTP calls the front end calls from the client side with Javascript.
When the user's session expires in the f5 AJAX calls start failing because the f5 is handling the GET/POST requests and determines the user is not authenticated. The f5 then then responds to the client request by sending a 302 Redirect Response with the Location header set to: /my.policy in order to redirect the client browser back to the login page. This works for normal HTTP requests, but not for Javascript AJAX requests.
The low level XHR object in the browser automatically attempts to follow the redirect to /my.policy before it hands the response back to the client javascript and the javascript is not aware that the 302 redirect occurred since it's transparently handled by the low level XHR.
The front-end Javascript client app includes the header: 'X-Requested-With: XMLHttpRequest' with all AJAX requests that proxy through the f5.
What I would like to do is customize the f5 to respond to client HTTP requests with a 401 Unauthorized response when the session is expired in the f5 when the original HTTP request has the X-Requested-With: XMLHttpRequest header. For all other requests from a client without the X-Requested-With header I want it to continue sending the 302 Redirect to /my.policy as it does currently.
Is this customization possible in the f5?