Forum Discussion
3 Replies
- Lucas_Thompson_Historic F5 Account
From a security perspective, it's really a bad idea to put usernames and passwords into CGI parameters because the URL will be:
- saved in the browser's history
- sent to any intermediate proxy server
- logged in HTTP request URI logs
...However, it's certainly possible.
First, understand that everything in APM is done by session variables. Session variables are assigned to users when they first connect to APM, and most things are available. In your case, you want the URI that the user's HTTP request sent, eg:
GET username=sanjai&password=12345 HTTP/1.1 Host: abc.com
From this, APM would set a session variable called
session.server.landinguri
It would be the user's request URI: "username=sanjai&password=12345".
The other thing we need to know is what the input data is for the "Auth" items, like AD Auth and LDAP Auth, etc. These take their data from a session variable called:
session.logon.last.username
and
session.logon.last.password
Now that we know where the data is and where it needs to go, just have to make a policy to do it that way. We need to do a few things:
- Make sure the users put something, so validate the input.
- Process the data from "session.server.landinguri" and put it into "session.logon.last.username" / "session.logon.last.password".
We can do these in 1 step because APM's Policy Items let us put any test on each item.
Add a Variable Assign with two entries. The first entry will be:
[Secure] seession.logon.last.password = if { [regexp {password=([^&=]+)} [mcget "session.server.landinguri"] foo val] } { return $val } else { return 0 }
The second will be:
[Insecure] session.logon.last.username = if { [regexp {username=([^&=]+)} [mcget "session.server.landinguri"] foo val] } { return $val } else { return 0 }
Now, in Branch Rules, you'd add one more besides Fallback. The one you add will validate that the username and password session variables were set correctly.
expr { [mcget "session.logon.last.username"] != "" && [mcget "session.logon.last.password"] != "" }
I'm having trouble for some reason to add screenshots to this post, but hopefully you can understand from the example what's happening.
- sanjai_126162Nimbostratus
thanks alot for your answer thompson.
We have published many web portal,app tunnel in single VIP. So creating rule for one application will be difficult.
Could you please assist on how we have give exact information in browser. eg: https://abc.com/apm/username=sanjai&password=xxxx"
- sanjai_126162Nimbostratus
thanks alot for your answer thompson.
We have published many web portal,app tunnel in single VIP. So creating rule for one application will be difficult.
Could you please assist on how we have give exact information in browser. eg: https://abc.com/apm/username=sanjai&password=xxxx"