Manual Chapter :
Creating Login Pages for Secure Application Access
Applies To:
Show VersionsBIG-IP ASM
- 14.1.3, 14.1.2, 14.1.0
Creating Login Pages for Secure Application Access
About login
pages
Most web applications use login pages as a way to secure the application and
authenticate application users. A
login page
specifies the
login URL in a web application that users must pass through to get to the authenticated URLs at
the heart of the application. Authenticated URLs
are URLs that become
accessible to users only after they successfully log in to the login URL. A logout URL
is a URL that, if accessed, forces users to return to
the login URL before re-accessing authenticated URLs. System administrators use these special
URLs to prevent forceful browsing by causing users to pass through the login URL before viewing
the restricted authenticated URLs. In addition to specifying the login URL, login pages in the
security policy can also enforce access validation by defining access permissions for users.In Application Security Manager
(ASM), security policies use login pages for several features:
- Login enforcement for secure application access
- Session awareness
- Brute force attack prevention
- Integration with database security
Login enforcement specifies the authenticated URLs and logout URLs for the
application. Session awareness provides tracking information of user sessions so that you can
investigate suspicious activity and the attacker. Brute force protection prevents hackers from
staging multiple attempts to guess user names and passwords so that they can log on to the
application. Database security integration can use login pages to provide event notification and
user data to a third-party database monitoring system.
About creating login
and logout pages
Your web application might contain URLs that should be accessed only through
other URLs. For example, in an online banking application, account holders should be able to
access their account information only by logging on through a login screen first. You can create
login pages manually, or have the system create them automatically.
Application Security Manager (ASM) adds login pages for you
automatically if you use certain options. The options are
Detect Login Pages
and Learn from Responses
in the Learning and Blocking
Settings. If you create the security policy automatically using the Comprehensive
policy template, the system sets
these options by default. If you are using Fundamental
, you can explicitly set these options. These options cause ASM to
detect login pages in the web application and add them to the security policy when sufficient
legitimate traffic has accessed the application.You can also create login or logout pages manually by specifying the login
or logout URLs used by the application. The same URL can be used as both a login URL and a logout
URL.
Creating login pages automatically
Login pages
specify a login URL that presents a site
that users must pass through to gain access to the web application. Your existing
security policy can detect and create login pages automatically if you use certain
options.If you are creating a security policy automatically and
selected
Comprehensive
as
the policy template, the default options are already set to create login pages
automatically. If you are using the Fundamental
policy template, the steps here explain the options to
configure ASM to automatically detect and create login pages for your application.
For brute force protection to work, ensure that the policy's
enforcement mode is set to Blocking. If a policy's enforcement mode is set to
Transparent, no brute force mitigation action will be performed.
- On the Main tab, click.The Learning and Blocking Settings screen opens.
- Ensure that theLearning Modeis set toAutomatic.The system examines the traffic to the web application, and after processing sufficient legitimate traffic, the system builds the security policy automatically by adding and enforcing elements with minimal manual intervention. A few learning suggestions require your review before they are added.
- In the Policy Building Settings area, expandSessions and Loginsand ensure thatBrute Force: Maximum login attempts are exceededis enabled for both Alarm and Block.
- In the Policy Building Process area, expandOptionsand ensure thatLearn from responsesis selected.
- ClickSaveto save your settings.
- In the editing context area, clickApply Policyto put the changes into effect.
The security policy looks for login pages by examining traffic to the web
application. When a login page is found, the Policy Builder suggests adding the login
form to the security policy. Because the suggestion is learned from responses and
responses are considered trusted, if the
Learning Mode
is
Automatic
, the login page is typically added to the policy
right away. If the
Learning Mode
is
Manual
, the login page is added to the learning
suggestions on the Traffic Learning screen where you can add it to the policy. The
login pages in the security policy are included in the Login Pages List.
You can use the login pages for login enforcement, brute force protection, or
session awareness.
Creating login pages manually
Before you can create a login page manually, you need to be familiar with the login
URL or URLs the application the security policy is protecting.
In your security policy, you can create a login page manually to specify a login
URL that presents a site that users must pass through to gain access to the web
application. The login URL commonly leads to the login page of the web application.
You can also have the system create login pages automatically by
selecting
Detect login pages
on the Learning and Blocking
Settings screen.- On the Main tab, click.The Login Pages List screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.The New Login Page screen opens.
- For theLogin URLsetting, specify a URL that users must pass through to get to the application.
- From the list, select the type of URL:ExplicitorWildcard.
- Select eitherHTTPorHTTPSbased on the type of traffic the web application accepts.
- Type an explicit URL or wildcard expression in the field.When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format/login, and wildcard URLs without the slash, such as*.php.Wildcard syntax is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name can match multiple objects.Wildcard CharacterMatches*All characters?Any single character.[abcde]Exactly one of the characters listed.[!abcde]Any character not listed.[a-e]Exactly one character in the range.[!a-e}Any character not in the range.
- From theAuthentication Typelist, select the method the web server uses to authenticate the login URL's credentials with a web user.OptionDescriptionNoneThe web server does not authenticate users trying to access the web application through the login URL. This is the default setting.HTML FormThe web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.HTTP Basic AuthenticationThe user name and password are transmitted in Base64 and stored on the server in plain text.HTTP Digest AuthenticationThe web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.NTLMMicrosoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.JSON/AJAX RequestThe web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
- In the Access Validation area, define at least one validation criteria for the login page response.If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.The system checks the access validation criteria on the response according to the content-type of the login URL. Supported content-types are text/*, application/x-javascript, application/sgml, application/xml, application/x-asp, application/x-aspx, application/xhtml+xml, application/json, application/x-shockwave-flash. You can use the internal parameteruser_defined_accum_typeto add supported content-types.
- ClickCreateto add the login page to the security policy.The new login page is added to the login pages list.
- Add as many login pages as needed for your web application.
- In the editing context area, clickApply Policyto put the changes into effect.
The security policy now has one or more login pages associated with it. They are
included in the Login Pages List.
You can use the login pages you created for login enforcement, brute force
protection, or session awareness.
Login page access validation criteria
Following are descriptions of the access validation criteria for the response to the
login URL. You configure one or more of these validations when defining a login page manually. A
login attempt is only successful if all of the specified validation criteria are
satisfied.
Access validation | Define in login page as |
---|---|
A string that should appear in the response | A string that must appear in the response for the system to allow the user to
access the authenticated URL; for example, Successful
Login . |
A string that should NOT appear in the response | A string that indicates a failed login attempt and prohibits user access to the
authenticated URL; for example, Authentication failed . |
Expected HTTP response status code | An HTTP response code that the server must return to the user to allow access to
the authenticated URL; for example, 200 . |
Expected validation header name and value (for example, Location header) | A header name and value that the response to the login URL must match to permit
user access to the authenticated URL. |
Expected validation domain cookie name | A defined domain cookie name that the response to the login URL must match to
permit user access to the authenticated URL. |
Expected parameter name (added to URI links in the response) | A parameter that must exist in the login URL’s HTML body to allow access to the
authenticated URL. |
Enforcing login pages
Login enforcement settings prevent forceful browsing attacks where attackers gain
access to restricted parts of the web application by supplying a URL directly. You can
use login enforcement to force users to pass through one URL (known as the
login
URL
) before being allowed to display a different URL (known as the
target URL
) where they can access restricted pages and resources.
Login enforcement indicates how the security policy implements login pages
including an optional expiration time, a list of URLs that require authentication to
get to, and a list of URLs used to log out of the application. You can also use
authenticated URLs to enforce idle time-outs on applications that are missing this
functionality.
- On the Main tab, click.The Login Enforcement screen opens.
- If you want the login URL to be valid for a limited time, setExpiration TimetoEnabled, and type a value, in seconds (1-99999) that indicates how long the session will last.If enabled, the login session ends after the number of seconds has passed.
- For theAuthenticated URLssetting, specify the target URLs that users can access only by way of the login URL:
- In theAuthenticated URLs (Wildcards supported)field, type the target URL name in the format/private.php(wildcards are allowed).
- ClickAddto add the URL to the list of authenticated URLs.
- Repeat to add as many authenticated URLs as needed.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
If you specify authenticated URLs and a user tries to access them, bypassing the
login URL (specified in a Login Page), the system issues the
Login URL
bypassed
violation. If a user session is idle and exceeds the expiration
time, the system issues the Login URL expired
violation, logs the user
out, and as a result, the user can no longer reach the authenticated URLs. For both
login violations, if the enforcement mode is blocking, the system now sends the Login
Page Response to the client (see ).Creating logout pages
Before you can create a logout page, you need to be familiar with the logout URL the
application uses.
In your security policy, you can create a logout page to specify a logout URL that
users go to when they log out of the web application. The logout URL can be the same as
the login URL.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- ClickCreate.
- For theLogout URL (Explicit only)setting, specify a URL that users go to when they log out of the application.
- Select eitherHTTPorHTTPSbased on the type of traffic the web application accepts.
- Type an explicit URL in the format/logout.html.
- Optionally, type strings that should or should not appear in the request.
- ClickCreate.
- In the editing context area, clickApply Policyto put the changes into effect.
The security policy now has a logout page associated with it included in the Logout
Pages List. Logout URLs are
automatically added to the list of allowed URLs.