Posted in : NetScaler By Simon Gottschlag Translate with Google ⟶

4 years ago

I have a scenario where I need to use AAA / Unified Gateway to authenticate users, but would like to pass-through valid tokens directly to the API without using AAA – if the token is valid.
My solution was to create a callout in NetScaler to validate the token, and if valid allow access through to the backend. This may also be used in other cases like providing cached API responses from NetScaler.

# Create the callout policy, in my case I'm using the internal load balancer for the API where I'm not using AAA
# The endpoint /api/netscaler/tokenvalidation will return status code 200 if the authorization is valid
add policy httpCallout CALLOUT_WEBAPP_API_BEARER -vServer LB-INT_WEBAPP_API -returnType NUM -hostExpr "HTTP.REQ.HEADER(\"Host\")" -urlStemExpr "\"/api/netscaler/tokenvalidation\"" -headers Authorization(HTTP.REQ.HEADER("Authorization")) -scheme http -resultExpr HTTP.RES.STATUS -cacheForSecs 3600
# Create a new load balancer where AAA is disabled
add lb vserver LB-WEBAPP_API_NOAUTH SSL 0.0.0.0 0 -persistenceType COOKIEINSERT -timeout 0 -persistenceBackup SOURCEIP -backupPersistenceTimeout 30 -persistMask 255.255.255.255 -cltTimeout 180
bind ssl vserver LB-WEBAPP_API_NOAUTH -certkeyName wildcard-cert
bind lb vserver LB-WEBAPP_API_NOAUTH SVC-WEBAPP01_HTTP
bind lb vserver LB-WEBAPP_API_NOAUTH SVC-WEBAPP02_HTTP
# Create new content switching actions, policies and policy labels
add cs action CSA-LB-WEBAPP_API_NOAUTH -targetLBVserver LB-WEBAPP_API_NOAUTH
# Using HTTP.REQ.USER.NAME.EQ(0) to validate that the user isn't authenticated
# Using SYS.HTTP_CALLOUT(CALLOUT_WEBAPP_API_BEARER).EQ(200) to validate if the token is valid or not
add cs policy CSP-WEBAPP-API_NOAUTH-NOOP -rule "EXP_ADV_HOSTHEADER_WEBAPP && HTTP.REQ.URL.PATH.SET_TMODE(IGNORECASE).STARTSWITH(\"/api/\") && HTTP.REQ.USER.SESSIONID.LENGTH.EQ(0)"
add cs policy CSP-WEBAPP-API_NOAUTH -rule "EXP_ADV_HOSTHEADER_WEBAPP && HTTP.REQ.URL.PATH.SET_TMODE(IGNORECASE).STARTSWITH(\"/api/\") && HTTP.REQ.USER.SESSIONID.LENGTH.EQ(0) && SYS.HTTP_CALLOUT(CALLOUT_WEBAPP_API_BEARER).EQ(200)" -action CSA-LB-WEBAPP_API_NOAUTH
add cs policylabel CSPL-WEBAPP_API_NOAUTH SSL
bind cs policylabel CSPL-WEBAPP_API_NOAUTH CSP-WEBAPP-API_NOAUTH 100
bind cs policylabel CSPL-WEBAPP_API_NOAUTH CSP-WEBAPP-API 110 # This one was already being used in the "normal" content switching
bind cs vserver <CS vServer> -policyName CSP-WEBAPP-API_NOAUTH-NOOP -priority 99 -invoke policylabel CSPL-WEBAPP_API_NOAUTH
bind cs vserver <CS vServer> -policyName CSP-WEBAPP-NOOP -priority 100 -invoke policylabel CSPL-WEBAPP # This one was already bound

It works like a charm! If you have any feedback or questions, feel free to leave a comment.

Tags :

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Add comment

Your comment will be revised by the site if needed.