Jose_Peter_2424
Nimbostratus
NimbostratusiRule to capture credentials from POST
Can someone provide me an iRule to capture credentials(username,password,device id) passed to a URL and then use them for APM?
Forum Discussion
7 Replies
By "use them for APM", what do you mean exactly? Not sure if you're talking about use in SSO (apm authenticates on behalf of the user) or use in AAA (apm checks user's credentials against an authentication server).
AAA must happen during access policy evaluation (before user hits Allow or Deny or Redirect ending in VPE).
SSO must happen after access policy evaluation (after user hits Allow or Deny or Redirect ending in VPE).
If you could more fully explain your use case, it would help. If you're not sure about your client device's interaction or what browser / app / etc you're using, you may need to perform decrypted packet captures using SSLDump. There are detailed instructions about how to do that here:
https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
Jose_Peter_2424Hi Lucas, Thanks for looking into my query. Let me explain my requirement.User launches the application on his phone, enters credentials and clicks "Login".Then an HTTP POST happens to application server. Credentials need to be captured by BIGIP from this POST and then do AD authentication followed by SSO on behalf of user.- OK. It sounds like you don't necessarily have control over the login page in this scenario, is it built into the app somehow? How does the app decide what to POST? Is it based on some existing web page that is retrieved from a server? Also, does the app implement a generalized Web browser that can store cookies and follow redirects, or is it limited somehow? What I'd do first is to visit that link I posted above about SSLdump and use that technique to capture exactly what the client is sending.
- Jose_Peter_2424Hi Lucas, Yes, the login page is built in the app. The URL to POST is also hardcoded in the app. I don't think app implement a generalized web browser.
- Jose_Peter_2424
Hi All,
Finally i managed to find the iRule 🙂 Here it is:
when HTTP_REQUEST { Check for post requests to the URI if {[HTTP::uri] ends_with "/Login" && [HTTP::method] eq "POST"}{ Collect up to 1Mb of request content if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] < 1048577 } { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Find the username and password from the collected payload set username [findstr [HTTP::payload] username 11 \"] set password [findstr [HTTP::payload] password 11 \"] HTTP::release } when ACCESS_SESSION_STARTED { if { [ info exists username ] } { ACCESS::session data set session.logon.last.username $username ACCESS::session data set session.logon.last.password $password } }
ANI tried above iRULE in my case it was clientless... Following iRule I have:
when HTTP_REQUEST {
switch [HTTP::method] { "COPY" - "MOVE" { Replace Destination header with http if using SSL Offloading if { [HTTP::header Destination] starts_with "https" } { HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]] }
HTTP::disable } "MKCOL" - "PROPPATCH" { HTTP::disable }} if { ( [HTTP::uri] contains "/abc/system.svc") || ( [HTTP::uri] contains "/abc/xyz/iSite/index.htm") || ( [HTTP::uri] contains "/xyz/Client/abc.application")} { HTTP::header insert "clientless-mode" 1 if { ( [HTTP::method] equals "POST" ) and ([HTTP::header value Content-Type] contains "soap+xml" ) } { if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] < 1048577 } { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0 } { HTTP::collect $content_length } }
} }when HTTP_REQUEST_DATA { set username [findstr [HTTP::payload] 11 \"] set password [findstr [HTTP::payload] password= 11 \"] HTTP::release }
when ACCESS_SESSION_STARTED { if { [info exists username] } { ACCESS::session data set session.logon.last.username $username } if { [info exists password] } { ACCESS::session data set session.logon.last.password $password } }
I have and Password in multiple place in xml. I found in my packet capture it stuck very first time it find variable and password and send 302 /my.policy. Why it doesn't go through whole xml first and capture credential and go to APM,,,
