IBM Security Verify

 View Only
Expand all | Collapse all

How to configure webseal to ignore "Authorization" header for a specific junction?

  • 1.  How to configure webseal to ignore "Authorization" header for a specific junction?

    IBM Champion
    Posted Tue November 29, 2022 04:59 AM
    Hello ISAM-ers,

    We have a specific reverse proxy where we need to configure ISAM/Webseal to completely ignore the incoming Authorization header but still forward it to the backend.
    I was under the assumption that simply configuring the junction with "Http Basic Authentication Header" to "Ignore" would be enough, but ISAM still tries validating the credentials coming in the Authentication header.

    Does anybody have an idea on what I am missing to achieve the behavior we need ?


    Thanks for any input that could help us !

    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    Posted Tue November 29, 2022 05:17 PM

    Andre,

     

    Which authentication mechanisms do you have enabled in your WebSEAL configuration?  It sounds like you have an authentication mechanism enabled which is trying to use the authorization header and failing (e.g. BA, OAuth, etc). 

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 3.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    IBM Champion
    Posted Thu December 01, 2022 07:32 AM
    Hi Scott,

    Thank you for your reply.


    BA is indeed enabled at the RP level : 
    [ba]
    ba-auth = https

    But we specifically try to disable it for a junction, but ISAM still tries validating the credentials coming in the Authorization header
    [server:/myJunctionThatNeedsToIgnoreBA]
    auth-challenge-type = none


    Am I missing something about the correct way to ignore BA for a specific junction ?

    For reference, we are using ISAM v10.0.1



    ------------------------------
    André Leruitte
    ------------------------------



  • 4.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    Posted Thu December 01, 2022 02:49 PM

    Andre,

     

    Just so I understand your use-case correctly, it sounds like you need basic authentication enabled for some junctions, and disabled for others?  For the disabled junctions you want to ignore the authorization header and pass the authorization header to the junctioned server?

     

    Unfortunately there is no way at the moment to selectively enable authentication mechanisms for different junctions.

     

    The 'auth-challenge-type' configuration entry is not going to help because it controls the authentication challenge (i.e. the generation of the 401 response).  It does not control the processing of authentication requests.

     

    I know that this is not what you want to hear.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 5.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    Posted Fri December 02, 2022 01:12 AM

    I interpreted the question differently from Scott. If I understand it correctly, you want WebSEAL to process the BA header itself when some URLs are visited, and completely ignore it and pass it down to the backend junction for other URLs.

    If my intepretation is correct you can do this. What you have to do is:

    1. Leave the current config in place:

    [ba]
    ba-auth=https

    2. Make sure you allow unauthenticated access on the junction where you want to send the ba header. In my case I did this:

    pdadmin> acl attach /WebSEAL/localhost-testba/jsonsnoop isam_mobile_rest_unauth
    

    3. When creating the junction, use the `-b ignore` flag, or use the junction editor in the LMI and on the Identity tab, change the `HTTP Basic Authentication Header` option to `Ignore`.

    In my case this processed the BA header for resources not on that junction, and passed the BA header across the /jsonsnoop junction.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 6.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    IBM Champion
    Posted Fri December 02, 2022 03:59 AM
    Thanks for your both replies.
    You both understood very well the requirement :)

    I tested your suggestion Shane but unfortunately it still does not work.
    I used the following ACL:



    Could it be related to our old v10.0.1?

    ------------------------------
    André Leruitte
    ------------------------------



  • 7.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    Posted Fri December 02, 2022 05:10 AM

    All I can suggest is try:

    pdadmin sec_master> acl show isam_mobile_rest_unauth
        ACL Name: isam_mobile_rest_unauth
        Description: 
        Entries: 
            Any-other Tmdrxl
            User sec_master TcmdbsvaBRrxl
            Group iv-admin TcmdbsvaBRrxl
            Group webseal-servers Tgmdbsrxl
            Unauthenticated Tmdrxl
    

     

    I don't believe it's your version of ISAM/ISVA - this is long-standing behaviour.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------



  • 8.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    IBM Champion
    Posted Fri December 02, 2022 09:56 AM
    Hi Shane,

    Thanks for the acl detail.

    This is not working for me, webseal still handles the Authorization header.


    I will try creating a new reverse proxy for testing the behavior in isolation of the rest of the config. There may be other settings (such as forms-auth = https) that could be modifying the behavior.

    I will keep you updated.

    ------------------------------
    André Leruitte
    ------------------------------



  • 9.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    Posted 14 days ago

    HI Andre,

    Please let me know if you were able to achieve it, as i am also facing same issue.



    ------------------------------
    Tara Sharma
    ------------------------------



  • 10.  RE: How to configure webseal to ignore "Authorization" header for a specific junction?

    IBM Champion
    Posted 14 days ago

    Hi Tara,

    Unfortunately I was unable to find any workaround. As Scott explained very clearly, it seems not possible to mix basic-auth for some junctions and completely ignoring the Authorization header for other junctions for the same reverse proxy.

    I did test on another reverse proxy where the basic-auth is not enabled, and it works exactly as expected for a junction where Ignore is configured for the BA Header. If you have absolutely no other option, maybe this workaround of creating another proxy could be an alternative solution.

    Regards



    ------------------------------
    André Leruitte
    ------------------------------