Hi Stephan,
you could use an iRule to require SSL certificate auth for everything exept the /java-applets/* download location. Access to /java-applets/* will then become anonymously accessible...
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] > 0 } {
Client certificate is available. Releasing the HTTP request..."
HTTP::release
}
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "/java-applets/" } then {
Allow the request
} else {
if { [SSL::cert count] == 0} {
Client certificate not found. Trigger SSL renegotiation and holding the HTTP request until a cert is presented..."
HTTP::collect
SSL::cert mode require
SSL::renegotiate
} else {
Allow the request
}
}
}
Another approach would be, to set a persistent cookie after certificate authentication is verified and then grant access to /java-applets/* based on the presence of a valid cookie value...
Note: I can't tell you if your JavaApplication is able to access the persistent HTTP cookies of your browser session. But you may give it a try...
when RULE_INIT {
set static::applet_cookie_aes_key "AES 128 3d2751ac173029ff4c70c7e7054225ae"
set static::applet_cookie_timeout 120 ; Seconds
}
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] > 0 } {
Client certificate is available. Releasing the HTTP request..."
HTTP::release
}
}
when HTTP_REQUEST {
if { [HTTP::path] starts_with "/java-applets/" } then {
set insert_session_cookie 0
if { [set auth_cookie [HTTP::cookie value "Auth_Cookie"]] ne "" } then {
Session cookie is present. Check if cookie can be decrypted and if containing clock value is still valid.
if { not ( [catch { set auth_cookie [AES::decrypt $static::applet_cookie_aes_key [b64decode $auth_cookie]] } ] ) and
( [clock seconds] < [expr { $auth_cookie + $static::applet_cookie_timeout } ] ) } then {
Clock value is verified. Allow the request...
return
}
}
HTTP::respond 403 content "Access Denied! Visit https://[HTTP::host]/ first to get access..." noserver "Content-Type" "text/html"
} else {
set insert_session_cookie 1
if { [SSL::cert count] == 0} {
Client certificate not found. Trigger SSL renegotiation and holding the HTTP request until a cert is presented..."
HTTP::collect
SSL::cert mode require
SSL::renegotiate
}
}
}
when HTTP_RESPONSE {
if { ( $insert_session_cookie ) and
( [HTTP::header "Content-Type" ] contains "text/html" ) } then {
Inject a persistent HTTP cookie containing an encrypted clock value for Java Applet access.
HTTP::header insert "Set-Cookie" "Auth_Cookie=[b64encode [AES::encrypt $static::applet_cookie_aes_key [clock seconds]]];Secure;Path=/"
HTTP::cookie expires "Auth_Cookie" $static::applet_cookie_timeout relative
}
}
Note: In both cases you need to reconfigure the Client_SSL_Profile with Renegotiation=Enabled
and Client Certificate=Ignore
to become able to selectively force the cert authentication.
Cheers, Kai