Topic
  • 10 replies
  • Latest Post - ‏2013-06-05T09:31:42Z by swlinn
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic HTML forms based login policy

‏2012-05-08T14:58:51Z |
Hi,

I have a web application firewall that is providing perimeter security to a web application. I am using HTML forms based login policy in AAA.

As per my understanding, all the HTTP requests coming in to the firewall (GET and POST) should be allowed to go through as long as they contain a valid cookie.

There are some JSON/HTTP-POST calls originating from the browser. For some reason, these calls are not being let through the firewall. I am getting 'AAA authorization failed' error.

As a work around, I grouped the JSON/HTTP POST calls as a separate web request profile and disabled AAA. If I add any kind of AAA policy for this profile, it is resulting in 'AAA authorization failed'. Even if I choose 'Always allow'.

Please help me solve this issue.

FYR
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.wdatapower/wdatapower/1.0/xa35/380DataPowerApplicationOptimization.pdf
Updated on 2013-01-07T04:23:05Z at 2013-01-07T04:23:05Z by SystemAdmin
  • swlinn
    swlinn
    1348 Posts

    Re: HTML forms based login policy

    ‏2012-05-10T02:08:02Z  
    You always get an authorization error IF your authentication step fails as well. Place your domain logging to debug level and enable the probe. Your logs should should step by step the extract identity, authentication, extract resource, and authorization steps. Also, in the probe, click on the spy glass after the AAA action and look at the debug context variables for AAA, particularly what is input to your authentication step.

    Regards,
    Steve
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: HTML forms based login policy

    ‏2012-05-10T20:59:34Z  
    • swlinn
    • ‏2012-05-10T02:08:02Z
    You always get an authorization error IF your authentication step fails as well. Place your domain logging to debug level and enable the probe. Your logs should should step by step the extract identity, authentication, extract resource, and authorization steps. Also, in the probe, click on the spy glass after the AAA action and look at the debug context variables for AAA, particularly what is input to your authentication step.

    Regards,
    Steve
    Steve,

    The probe is not getting enabled for Web Application Firewall for some reason. I tried enabling from the Troubleshooting panel as well. Are you sure probe is supposed to work for Web Application Firewall object?
  • swlinn
    swlinn
    1348 Posts

    Re: HTML forms based login policy

    ‏2012-05-11T03:58:03Z  
    Steve,

    The probe is not getting enabled for Web Application Firewall for some reason. I tried enabling from the Troubleshooting panel as well. Are you sure probe is supposed to work for Web Application Firewall object?
    Sorry, I missed that you were referencing a WAF. So what do your logs say about other steps in the AAA policy? Is authentication succeeding?

    Regards,
    Seve
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: HTML forms based login policy

    ‏2012-05-13T19:19:24Z  
    • swlinn
    • ‏2012-05-11T03:58:03Z
    Sorry, I missed that you were referencing a WAF. So what do your logs say about other steps in the AAA policy? Is authentication succeeding?

    Regards,
    Seve
    Here's what I see in the logs when the WAF is denying the JSON/HTTP-POST requests

    0x80c0007b stylepolicy (default): No error rule is matched.
    0x02030015 web-application-firewall (TestWaf): AAA violation
    0x80e0010b web-application-firewall (TestWaf): Request validation failed: AAA violation
    0x80e0051c web-application-firewall (TestWaf): AAA Authorization step complete - identity unknown
    0x80e0051b web-application-firewall (TestWaf): AAA authorization failed
    0x80c00037 web-application-firewall (TestWaf): Reject set: Rejected by policy.
    0x80e0051a web-application-firewall (TestWaf): Running AAA without using request body
    0x80e004d2 web-application-firewall (TestWaf): Application Firewall Requires Body Inspection

    I see that the Cookie is being sent in the request and I am expecting the WAF to let it through. For some reason why it is denying the HTTP-POST requests. Do you think it is trying to extract credentials from HTTP body instead of the cookie?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: HTML forms based login policy

    ‏2012-05-14T14:35:50Z  
    • swlinn
    • ‏2012-05-10T02:08:02Z
    You always get an authorization error IF your authentication step fails as well. Place your domain logging to debug level and enable the probe. Your logs should should step by step the extract identity, authentication, extract resource, and authorization steps. Also, in the probe, click on the spy glass after the AAA action and look at the debug context variables for AAA, particularly what is input to your authentication step.

    Regards,
    Steve
    If I have to read and validate the cookie manually, how can I do it?
    Do you know how exactly the cookie is encrypted when we use HTML Forms based login policy?
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: HTML forms based login policy

    ‏2013-01-07T04:23:05Z  
    If I have to read and validate the cookie manually, how can I do it?
    Do you know how exactly the cookie is encrypted when we use HTML Forms based login policy?
    Hi Vamsi,
    Did you resolve this issue, if so please share the fix details, I am having similar issue with the AAA policy for the WAF.
    Thanks
  • vamssi
    vamssi
    5 Posts

    Re: HTML forms based login policy

    ‏2013-04-30T18:19:09Z  
    Hi Vamsi,
    Did you resolve this issue, if so please share the fix details, I am having similar issue with the AAA policy for the WAF.
    Thanks

    Probe for WAF is working in firmware v5. Now, I see that its not AU problem. Its failing before that. The JSON/HTTP-POST calls are failing at Convert Query Params action (implicit). Still working on the problem.

     

  • vamssi
    vamssi
    5 Posts

    Re: HTML forms based login policy

    ‏2013-06-04T20:42:12Z  
    Hi Vamsi,
    Did you resolve this issue, if so please share the fix details, I am having similar issue with the AAA policy for the WAF.
    Thanks

    For JSON calls to pass through AAA policy, you can create a URL rewrite policy that can change the content type to something other than JSON (e.g. 'application/text'). You can revert back the content type in AAA post processing step or XSL action in the Side Effect rule.

  • Rohit-Goyal
    Rohit-Goyal
    133 Posts

    Re: HTML forms based login policy

    ‏2013-06-05T02:24:23Z  
    • vamssi
    • ‏2013-06-04T20:42:12Z

    For JSON calls to pass through AAA policy, you can create a URL rewrite policy that can change the content type to something other than JSON (e.g. 'application/text'). You can revert back the content type in AAA post processing step or XSL action in the Side Effect rule.

    Hi Vamssi, 

    Do you mean with JSON payload/call, AAA fails? 

    Can you share some more information what exactly you are trying to share here?

    Rohit

  • swlinn
    swlinn
    1348 Posts

    Re: HTML forms based login policy

    ‏2013-06-05T09:31:42Z  
    • vamssi
    • ‏2013-04-30T18:19:09Z

    Probe for WAF is working in firmware v5. Now, I see that its not AU problem. Its failing before that. The JSON/HTTP-POST calls are failing at Convert Query Params action (implicit). Still working on the problem.

     

    What is your service request type?  JSON?  Since you're saying the action is implicit, my guess is that you are, so under the covers a convert action is being done and is failing if the JSON is malformed.  If you are doing your own convert action, ensure you have the encoding object with type = JSON.  Do you see any related logs for your transaction?  If you don't have your own convert action, for a test, I'd change the request type to Non-XML and place a convert action with an encoding object with type=JSON as your first action.  Then you should see this request in the probe which will make it easier to triage.

    Regards,

    Steve