Topic
10 replies Latest Post - ‏2013-06-05T09:31:42Z by swlinn
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic HTML forms based login policy

‏2012-05-08T14:58:51Z |
Hi,

I have a web application firewall that is providing perimeter security to a web application. I am using HTML forms based login policy in AAA.

As per my understanding, all the HTTP requests coming in to the firewall (GET and POST) should be allowed to go through as long as they contain a valid cookie.

There are some JSON/HTTP-POST calls originating from the browser. For some reason, these calls are not being let through the firewall. I am getting 'AAA authorization failed' error.

As a work around, I grouped the JSON/HTTP POST calls as a separate web request profile and disabled AAA. If I add any kind of AAA policy for this profile, it is resulting in 'AAA authorization failed'. Even if I choose 'Always allow'.

Please help me solve this issue.

FYR
http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.wdatapower/wdatapower/1.0/xa35/380DataPowerApplicationOptimization.pdf
Updated on 2013-01-07T04:23:05Z at 2013-01-07T04:23:05Z by SystemAdmin
  • swlinn
    swlinn
    1330 Posts
    ACCEPTED ANSWER

    Re: HTML forms based login policy

    ‏2012-05-10T02:08:02Z  in response to SystemAdmin
    You always get an authorization error IF your authentication step fails as well. Place your domain logging to debug level and enable the probe. Your logs should should step by step the extract identity, authentication, extract resource, and authorization steps. Also, in the probe, click on the spy glass after the AAA action and look at the debug context variables for AAA, particularly what is input to your authentication step.

    Regards,
    Steve
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: HTML forms based login policy

      ‏2012-05-10T20:59:34Z  in response to swlinn
      Steve,

      The probe is not getting enabled for Web Application Firewall for some reason. I tried enabling from the Troubleshooting panel as well. Are you sure probe is supposed to work for Web Application Firewall object?
      • swlinn
        swlinn
        1330 Posts
        ACCEPTED ANSWER

        Re: HTML forms based login policy

        ‏2012-05-11T03:58:03Z  in response to SystemAdmin
        Sorry, I missed that you were referencing a WAF. So what do your logs say about other steps in the AAA policy? Is authentication succeeding?

        Regards,
        Seve
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: HTML forms based login policy

          ‏2012-05-13T19:19:24Z  in response to swlinn
          Here's what I see in the logs when the WAF is denying the JSON/HTTP-POST requests

          0x80c0007b stylepolicy (default): No error rule is matched.
          0x02030015 web-application-firewall (TestWaf): AAA violation
          0x80e0010b web-application-firewall (TestWaf): Request validation failed: AAA violation
          0x80e0051c web-application-firewall (TestWaf): AAA Authorization step complete - identity unknown
          0x80e0051b web-application-firewall (TestWaf): AAA authorization failed
          0x80c00037 web-application-firewall (TestWaf): Reject set: Rejected by policy.
          0x80e0051a web-application-firewall (TestWaf): Running AAA without using request body
          0x80e004d2 web-application-firewall (TestWaf): Application Firewall Requires Body Inspection

          I see that the Cookie is being sent in the request and I am expecting the WAF to let it through. For some reason why it is denying the HTTP-POST requests. Do you think it is trying to extract credentials from HTTP body instead of the cookie?
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: HTML forms based login policy

      ‏2012-05-14T14:35:50Z  in response to swlinn
      If I have to read and validate the cookie manually, how can I do it?
      Do you know how exactly the cookie is encrypted when we use HTML Forms based login policy?
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: HTML forms based login policy

        ‏2013-01-07T04:23:05Z  in response to SystemAdmin
        Hi Vamsi,
        Did you resolve this issue, if so please share the fix details, I am having similar issue with the AAA policy for the WAF.
        Thanks
        • vamssi
          vamssi
          5 Posts
          ACCEPTED ANSWER

          Re: HTML forms based login policy

          ‏2013-04-30T18:19:09Z  in response to SystemAdmin

          Probe for WAF is working in firmware v5. Now, I see that its not AU problem. Its failing before that. The JSON/HTTP-POST calls are failing at Convert Query Params action (implicit). Still working on the problem.

           

          • swlinn
            swlinn
            1330 Posts
            ACCEPTED ANSWER

            Re: HTML forms based login policy

            ‏2013-06-05T09:31:42Z  in response to vamssi

            What is your service request type?  JSON?  Since you're saying the action is implicit, my guess is that you are, so under the covers a convert action is being done and is failing if the JSON is malformed.  If you are doing your own convert action, ensure you have the encoding object with type = JSON.  Do you see any related logs for your transaction?  If you don't have your own convert action, for a test, I'd change the request type to Non-XML and place a convert action with an encoding object with type=JSON as your first action.  Then you should see this request in the probe which will make it easier to triage.

            Regards,

            Steve

        • vamssi
          vamssi
          5 Posts
          ACCEPTED ANSWER

          Re: HTML forms based login policy

          ‏2013-06-04T20:42:12Z  in response to SystemAdmin

          For JSON calls to pass through AAA policy, you can create a URL rewrite policy that can change the content type to something other than JSON (e.g. 'application/text'). You can revert back the content type in AAA post processing step or XSL action in the Side Effect rule.

          • Rohit-Goyal
            Rohit-Goyal
            104 Posts
            ACCEPTED ANSWER

            Re: HTML forms based login policy

            ‏2013-06-05T02:24:23Z  in response to vamssi

            Hi Vamssi, 

            Do you mean with JSON payload/call, AAA fails? 

            Can you share some more information what exactly you are trying to share here?

            Rohit