Forum Discussion
Kevin_Stewart
Oct 24, 2012Employee
You're talking about something I'd call "post-access authentication". Take a look at this section of the Wiki for SSL client certificate authentication.
https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx
Unfortunately, neither ACA nor APM natively do post-access authentication in this way (currently), so I can potentially think of three ways to solve this:
ACA -
The iRule that implements LDAP in ACA (_sys_auth_ldap) calls AUTH::authenticate from the HTTP_REQUEST event. You could create a conditional that only calls AUTH::authenticate if the URI starts with "/test" AND the user isn't presenting a valid session token. Replace the final HTTP::release in the AUTH_RESULT event with an HTTP::respond 302 redirect back to the requested VIP and with a new session token (unique ID stored in a table).
APM -
The HTTP_REQUEST event is called before the initial access policy redirect and start, so you could probably just do an ACCESS::disable in the HTTP_REQUEST event as long as the the URI does not start with "/test".
when HTTP_REQUEST {
if { not ( [HTTP::uri] starts_with "/test" ) } {
ACCESS::disable
}
}
TWO-VIP (ACA or APM)
1. User accesses site without authentication
2. user attempts to access "/test", does not have a token, so is redirected to another VIP to do authentication
3. User accesses authentication VIP, authenticates (ACA or APM), and is redirected back to originating site with a token
3. Originating site evaluates token (mapped to auth data acquired bu auth VIP) and allows access to "/test"