Forum Discussion

sanjai_126162's avatar
sanjai_126162
Icon for Nimbostratus rankNimbostratus
Jun 22, 2016

user validation by entering username&password in address bar

Hi All,

 

We are using APM module for authentication.

 

Clients dont want to give username and password in logon page. Instead they want to give username and password in address bar and it should authenticate and application should visiable. eg:https://abc.com/username=xyv/password=rfvb/

 

Is it possible in F5? if please guide me how to porceed

 

3 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    From a security perspective, it's really a bad idea to put usernames and passwords into CGI parameters because the URL will be:

    1. saved in the browser's history
    2. sent to any intermediate proxy server
    3. logged in HTTP request URI logs

    ...However, it's certainly possible.

    First, understand that everything in APM is done by session variables. Session variables are assigned to users when they first connect to APM, and most things are available. In your case, you want the URI that the user's HTTP request sent, eg:

    GET username=sanjai&password=12345 HTTP/1.1
    Host: abc.com
    

    From this, APM would set a session variable called

    session.server.landinguri
    

    It would be the user's request URI: "username=sanjai&password=12345".

    The other thing we need to know is what the input data is for the "Auth" items, like AD Auth and LDAP Auth, etc. These take their data from a session variable called:

    session.logon.last.username
    

    and

    session.logon.last.password
    

    Now that we know where the data is and where it needs to go, just have to make a policy to do it that way. We need to do a few things:

    1. Make sure the users put something, so validate the input.
    2. Process the data from "session.server.landinguri" and put it into "session.logon.last.username" / "session.logon.last.password".

    We can do these in 1 step because APM's Policy Items let us put any test on each item.

    Add a Variable Assign with two entries. The first entry will be:

    [Secure]
    seession.logon.last.password = if { [regexp {password=([^&=]+)} [mcget "session.server.landinguri"] foo val] } { return $val } else { return 0 }
    

    The second will be:

    [Insecure]
    session.logon.last.username = if { [regexp {username=([^&=]+)} [mcget "session.server.landinguri"] foo val] } { return $val } else { return 0 }
    

    Now, in Branch Rules, you'd add one more besides Fallback. The one you add will validate that the username and password session variables were set correctly.

    expr { [mcget "session.logon.last.username"] != "" && [mcget "session.logon.last.password"] != "" }
    

    I'm having trouble for some reason to add screenshots to this post, but hopefully you can understand from the example what's happening.