IBM Security Verify

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?

Dear Scott, 

Custom Header means i have added a additional header to send the IP in request to webseal. Below is the JS written in AAC infomap. 

-------------------------------------------------------------------

function getCaptcha() {

   // var ApiKey = "25248e0d-3099-4cea-aa92-dfa31b4cc8a5";

    var url = "https://[revrseproxy-instance]/moecaptcha/code.jsp";

    var headers = new Headers();

    headers.addHeader("Content-Type", "application/json");

              headers.addHeader("x-captcha-for",x_forwarded_for_header[0]);

        try {

          //  var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "", 5);

                                           var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "");

            if (resp.getCode() == 200) {

               var captchaJSON = JSON.parse(resp.getBody());

             IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + resp.getBody());

                                           // IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + json.captcha);

                                            macros.put("@CAPTCHA@",captchaJSON.captcha);

             const randomString = generateRandomString(32);

                                            macros.put("@STATEVALUE@",randomString);

                                            stateValue = randomString;

                                            captchaCode = captchaJSON.code;

            } else {

                IDMappingExtUtils.traceString("Response is null");

                result = false;

            }

        } catch (ex) {

            IDMappingExtUtils.throwSTSUserMessageException("Excelption occured, Please try again" + ex.message);

            IDMappingExtUtils.traceString("NafathSendRequestFailed:" + ex.message);

        }

      return "";

}

------------------------------------------------------------------------------------

Below logs from webseal pdweb.debug.logs.

2024-05-16-13:06:21.784+03:00I----- thread(83) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:235: ----------------- Browser ===> PD -----------------

Thread 83; fd 262; local revsreproxy IP:443; remote 192.168.38.4:22104

GET /moecaptcha/code.jsp HTTP/1.1

accept-encoding: gzip,deflate

connection: Keep-Alive

content-type: application/json

host: reverseproxy-instance DNS

user-agent: Apache-HttpClient/4.5.13 (Java/11.0.20.1)

x-captcha-for: 192.168.x.y (Client IP)

x-forwarded-for: 192.168.x.x (AAC runtime IP)

---------------------------------------------------

I am trying to write a below Rate-limit rule around the mentioned "x-captcha-for" above in logs and JS. But its not working as expected, see ratelimit enabled after applying the this rule but for the "x-forwarded-for" header i.e. if altogether(different sources) 15 hits reaches to webseal it stops hit the captcha URL at back-end for 1 mins as mentioned in the rule. Please suggest if anything missing in my rate-limit rule which is applying restriction based on x-forwarded-for  not with x-captcha-for. 

--------------------------------------------------------------------------------------------

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?

Dear Scott, 

Custom Header means i have added a additional header to send the IP in request to webseal. Below is the JS written in AAC infomap. 

-------------------------------------------------------------------

function getCaptcha() {

   // var ApiKey = "25248e0d-3099-4cea-aa92-dfa31b4cc8a5";

    var url = "https://[revrseproxy-instance]/moecaptcha/code.jsp";

    var headers = new Headers();

    headers.addHeader("Content-Type", "application/json");

              headers.addHeader("x-captcha-for",x_forwarded_for_header[0]);

        try {

          //  var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "", 5);

                                           var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "");

            if (resp.getCode() == 200) {

               var captchaJSON = JSON.parse(resp.getBody());

             IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + resp.getBody());

                                           // IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + json.captcha);

                                            macros.put("@CAPTCHA@",captchaJSON.captcha);

             const randomString = generateRandomString(32);

                                            macros.put("@STATEVALUE@",randomString);

                                            stateValue = randomString;

                                            captchaCode = captchaJSON.code;

            } else {

                IDMappingExtUtils.traceString("Response is null");

                result = false;

            }

        } catch (ex) {

            IDMappingExtUtils.throwSTSUserMessageException("Excelption occured, Please try again" + ex.message);

            IDMappingExtUtils.traceString("NafathSendRequestFailed:" + ex.message);

        }

      return "";

}

------------------------------------------------------------------------------------

Below logs from webseal pdweb.debug.logs.

2024-05-16-13:06:21.784+03:00I----- thread(83) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:235: ----------------- Browser ===> PD -----------------

Thread 83; fd 262; local revsreproxy IP:443; remote 192.168.38.4:22104

GET /moecaptcha/code.jsp HTTP/1.1

accept-encoding: gzip,deflate

connection: Keep-Alive

content-type: application/json

host: reverseproxy-instance DNS

user-agent: Apache-HttpClient/4.5.13 (Java/11.0.20.1)

x-captcha-for: 192.168.x.y (Client IP)

x-forwarded-for: 192.168.x.x (AAC runtime IP)

---------------------------------------------------

I am trying to write a below Rate-limit rule around the mentioned "x-captcha-for" above in logs and JS. But its not working as expected, see ratelimit enabled after applying the this rule but for the "x-forwarded-for" header i.e. if altogether(different sources) 15 hits reaches to webseal it stops hit the captcha URL at back-end for 1 mins as mentioned in the rule. Please suggest if anything missing in my rate-limit rule which is applying restriction based on x-forwarded-for  not with x-captcha-for. 

--------------------------------------------------------------------------------------------

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?

Dear Scott, 

This is moecaptcha only, I messed with it while scrubbing details to share here in the portal. Please consider this moecaptcha not captcha.

Problem Statement: I am trying to put rate limit based on header named as 'x-captcha-for' HTTP header which is not working as expected instead rate-limit is working for 'x-forwarded-for' header. 

Dear Scott, 

Custom Header means i have added a additional header to send the IP in request to webseal. Below is the JS written in AAC infomap. 

-------------------------------------------------------------------

function getCaptcha() {

   // var ApiKey = "25248e0d-3099-4cea-aa92-dfa31b4cc8a5";

    var url = "https://[revrseproxy-instance]/moecaptcha/code.jsp";

    var headers = new Headers();

    headers.addHeader("Content-Type", "application/json");

              headers.addHeader("x-captcha-for",x_forwarded_for_header[0]);

        try {

          //  var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "", 5);

                                           var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "");

            if (resp.getCode() == 200) {

               var captchaJSON = JSON.parse(resp.getBody());

             IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + resp.getBody());

                                           // IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + json.captcha);

                                            macros.put("@CAPTCHA@",captchaJSON.captcha);

             const randomString = generateRandomString(32);

                                            macros.put("@STATEVALUE@",randomString);

                                            stateValue = randomString;

                                            captchaCode = captchaJSON.code;

            } else {

                IDMappingExtUtils.traceString("Response is null");

                result = false;

            }

        } catch (ex) {

            IDMappingExtUtils.throwSTSUserMessageException("Excelption occured, Please try again" + ex.message);

            IDMappingExtUtils.traceString("NafathSendRequestFailed:" + ex.message);

        }

      return "";

}

------------------------------------------------------------------------------------

Below logs from webseal pdweb.debug.logs.

2024-05-16-13:06:21.784+03:00I----- thread(83) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:235: ----------------- Browser ===> PD -----------------

Thread 83; fd 262; local revsreproxy IP:443; remote 192.168.38.4:22104

GET /moecaptcha/code.jsp HTTP/1.1

accept-encoding: gzip,deflate

connection: Keep-Alive

content-type: application/json

host: reverseproxy-instance DNS

user-agent: Apache-HttpClient/4.5.13 (Java/11.0.20.1)

x-captcha-for: 192.168.x.y (Client IP)

x-forwarded-for: 192.168.x.x (AAC runtime IP)

---------------------------------------------------

I am trying to write a below Rate-limit rule around the mentioned "x-captcha-for" above in logs and JS. But its not working as expected, see ratelimit enabled after applying the this rule but for the "x-forwarded-for" header i.e. if altogether(different sources) 15 hits reaches to webseal it stops hit the captcha URL at back-end for 1 mins as mentioned in the rule. Please suggest if anything missing in my rate-limit rule which is applying restriction based on x-forwarded-for  not with x-captcha-for. 

--------------------------------------------------------------------------------------------

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?

Dear Scott, 

This is moecaptcha only, I messed with it while scrubbing details to share here in the portal. Please consider this moecaptcha not captcha.

Problem Statement: I am trying to put rate limit based on header named as 'x-captcha-for' HTTP header which is not working as expected instead rate-limit is working for 'x-forwarded-for' header. 

Dear Scott, 

Custom Header means i have added a additional header to send the IP in request to webseal. Below is the JS written in AAC infomap. 

-------------------------------------------------------------------

function getCaptcha() {

   // var ApiKey = "25248e0d-3099-4cea-aa92-dfa31b4cc8a5";

    var url = "https://[revrseproxy-instance]/moecaptcha/code.jsp";

    var headers = new Headers();

    headers.addHeader("Content-Type", "application/json");

              headers.addHeader("x-captcha-for",x_forwarded_for_header[0]);

        try {

          //  var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "", 5);

                                           var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "");

            if (resp.getCode() == 200) {

               var captchaJSON = JSON.parse(resp.getBody());

             IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + resp.getBody());

                                           // IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + json.captcha);

                                            macros.put("@CAPTCHA@",captchaJSON.captcha);

             const randomString = generateRandomString(32);

                                            macros.put("@STATEVALUE@",randomString);

                                            stateValue = randomString;

                                            captchaCode = captchaJSON.code;

            } else {

                IDMappingExtUtils.traceString("Response is null");

                result = false;

            }

        } catch (ex) {

            IDMappingExtUtils.throwSTSUserMessageException("Excelption occured, Please try again" + ex.message);

            IDMappingExtUtils.traceString("NafathSendRequestFailed:" + ex.message);

        }

      return "";

}

------------------------------------------------------------------------------------

Below logs from webseal pdweb.debug.logs.

2024-05-16-13:06:21.784+03:00I----- thread(83) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:235: ----------------- Browser ===> PD -----------------

Thread 83; fd 262; local revsreproxy IP:443; remote 192.168.38.4:22104

GET /moecaptcha/code.jsp HTTP/1.1

accept-encoding: gzip,deflate

connection: Keep-Alive

content-type: application/json

host: reverseproxy-instance DNS

user-agent: Apache-HttpClient/4.5.13 (Java/11.0.20.1)

x-captcha-for: 192.168.x.y (Client IP)

x-forwarded-for: 192.168.x.x (AAC runtime IP)

---------------------------------------------------

I am trying to write a below Rate-limit rule around the mentioned "x-captcha-for" above in logs and JS. But its not working as expected, see ratelimit enabled after applying the this rule but for the "x-forwarded-for" header i.e. if altogether(different sources) 15 hits reaches to webseal it stops hit the captcha URL at back-end for 1 mins as mentioned in the rule. Please suggest if anything missing in my rate-limit rule which is applying restriction based on x-forwarded-for  not with x-captcha-for. 

--------------------------------------------------------------------------------------------

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?

Dear Scott, 

This is moecaptcha only, I messed with it while scrubbing details to share here in the portal. Please consider this moecaptcha not captcha.

Problem Statement: I am trying to put rate limit based on header named as 'x-captcha-for' HTTP header which is not working as expected instead rate-limit is working for 'x-forwarded-for' header. 

Dear Scott, 

Custom Header means i have added a additional header to send the IP in request to webseal. Below is the JS written in AAC infomap. 

-------------------------------------------------------------------

function getCaptcha() {

   // var ApiKey = "25248e0d-3099-4cea-aa92-dfa31b4cc8a5";

    var url = "https://[revrseproxy-instance]/moecaptcha/code.jsp";

    var headers = new Headers();

    headers.addHeader("Content-Type", "application/json");

              headers.addHeader("x-captcha-for",x_forwarded_for_header[0]);

        try {

          //  var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "", 5);

                                           var resp = HttpClientV2.httpGet(url, headers, "", "", "", "", "", "");

            if (resp.getCode() == 200) {

               var captchaJSON = JSON.parse(resp.getBody());

             IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + resp.getBody());

                                           // IDMappingExtUtils.traceString("ResponseHTTP CaptchaRequest ----" + json.captcha);

                                            macros.put("@CAPTCHA@",captchaJSON.captcha);

             const randomString = generateRandomString(32);

                                            macros.put("@STATEVALUE@",randomString);

                                            stateValue = randomString;

                                            captchaCode = captchaJSON.code;

            } else {

                IDMappingExtUtils.traceString("Response is null");

                result = false;

            }

        } catch (ex) {

            IDMappingExtUtils.throwSTSUserMessageException("Excelption occured, Please try again" + ex.message);

            IDMappingExtUtils.traceString("NafathSendRequestFailed:" + ex.message);

        }

      return "";

}

------------------------------------------------------------------------------------

Below logs from webseal pdweb.debug.logs.

2024-05-16-13:06:21.784+03:00I----- thread(83) trace.pdweb.debug:2 /build/isam/src/i4w/pdweb/webseald/ras/trace/debug_log.cpp:235: ----------------- Browser ===> PD -----------------

Thread 83; fd 262; local revsreproxy IP:443; remote 192.168.38.4:22104

GET /moecaptcha/code.jsp HTTP/1.1

accept-encoding: gzip,deflate

connection: Keep-Alive

content-type: application/json

host: reverseproxy-instance DNS

user-agent: Apache-HttpClient/4.5.13 (Java/11.0.20.1)

x-captcha-for: 192.168.x.y (Client IP)

x-forwarded-for: 192.168.x.x (AAC runtime IP)

---------------------------------------------------

I am trying to write a below Rate-limit rule around the mentioned "x-captcha-for" above in logs and JS. But its not working as expected, see ratelimit enabled after applying the this rule but for the "x-forwarded-for" header i.e. if altogether(different sources) 15 hits reaches to webseal it stops hit the captcha URL at back-end for 1 mins as mentioned in the rule. Please suggest if anything missing in my rate-limit rule which is applying restriction based on x-forwarded-for  not with x-captcha-for. 

--------------------------------------------------------------------------------------------

Dear Team, I have to set a rate limit on the URL that generates the captcha, which is protected by Webseal Junction and accessible to users through AAC template pages. This is how it goes:

A login page and a captcha challenge will be shown to users. The captcha image is generated by an application and is secured by Webseal Junction.The AAC infomap, which is governed by the AAC authentication mechanism, will be the source of this URL.The captcha generation must be limited to ten times per minute per session.Here, we are aware of the rate limit policy named limitloginbyIP.yaml that uses the x-forwarded header setting, and it is functioning as anticipated. 

However, there is a catch: since the AAC runtime is the source of the URL, we will always obtain the runtime IP in the X-forwarder header. Setting a rate-limit will be useless because AAC will be used in all user requests. We attempted to apply a rate-limit policy on this new header and include the client IP address in the request header while creating the captcha, but this did not function at all. Netseal is still taking into account the IP in the x-forwarded header. Would you kindly advise if we can use custom headers in Webseal to write the rate-limit policy?