APM Policies not enforced after initial login
We are working on implementing per path access restrictions with the BigIP/APM. The restrictions are grouped into the following categories:
1) Public - no login required 2) Restricted - login required 3) Secured - login and LDAP user attribute value required
Public paths are enforced by an iRule that disables the APM for selected paths. Secured paths are enforced by Branch Rules on LDAP Query Actions in an APM Access Policy.
The problem we have encountered is that the APM is not called after the user logs in and has their session cookie. As a result, the secure path restrictions in the Access Policy are bypassed. Is this normal? Do we need to use iRules to enforce per path restrictions? Does anyone have examples of this?
Yes, this is normal. Today, once the session is established, the access policy is not evaluated for the duration of the session. So, if you started a session for Restricted URIs and then need to enforce security for the Secured ones, you need to do
set an session variable in the VPE indicating whether user performed secured or restricted authentication an iRule that will check the paths for secured - if path is secured, it will check the APM session variable to see how the user authenticated - if they authenticated just for Restricted, kill the APM session and redirect them to the same path they tried to go to(secured) - and the policy execution should kick in and force you to do proper authentication then.