mahnsc
Apr 06, 2012Nimbostratus
Multi-Conditional iRule using Basic Auth and 9.4.3
I received a request recently regarding a customer of my customer who
has multiple authentication and authorization requirements for web
service requests. The requirements were broken down as follows:
1. Requests only matching URI named "/uri/" should be validated.
2. Requests with a Content-Type of "text/xml" should be validated.
3. Requests must only be allowed from IP address w.x.y.z
4. Requests must be protected with basic auth userid/password
My OS version is 9.4.3
I have written the following rule, which intends to follow these
guidelines but I have doubts that line 7 will do what I'm hoping it will
do. Building off of the rule from the HTTP Basic Access Authentication
iRule Style article, this is what I currently have:
when HTTP_REQUEST {
if {[HTTP::uri] contains "/uri/"} {
if { [HTTP::header "Content-Type"] contains "text/xml" } {
if { ! ( [IP::addr [IP::client_addr] equals w.x.y.z/m.a.s.k] ) } {
if { [HTTP::header exists Authorization] } {
binary scan [md5 [HTTP::password]] H* password
if { [matchclass [HTTP::username] equals $users] equals $password } {
log local0. "User [HTTP::username] authorized to access /uri/"
} elseif { [string length [HTTP::password]] != 0} {
log local0. "User [HTTP::username] not authorized to access /uri/"
HTTP::respond 401
} else {
HTTP::respond 401
}
}
HTTP::respond 403
log local0. "[IP::client_addr]:[TCP::client_port]: Sending 403 Response"
}
}
}
}
Surprisingly, this saves with no parsing errors but since this is 9.4.3,
class lookup does not work so I needed to convert this to using match
class and now I'm afraid that this won't actually do what I want it to
do, which is check to see if the userid is using a valid
password.I'm also not really certain whether the HTTP::respond 401 after the 'else' is needed but I have it in there now simply to include the 'else'. Can someone take a few moments to look this over and let me know where I need to make some changes?