Last Modified: May 29, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1
Fixed In:
16.0.0, 15.1.5
Opened: Mar 03, 2020 Severity: 4-Minor
APM has several types of access policies for different deployment types, such as general per-request policies, OAuth policies, full webtop portal policies, and so on. One type of policy is designed for API clients, called API Protection. API Protection requests are generally authenticated by user information present in an HTTP authorization header. APM then uses this authorization header data to authenticate users against an AAA server. In addition to authentication, some deployments of API Protection also require authorization decisions to be performed against out-of-band data from external servers, typically group membership data from an external HTTP or LDAP server.
Administrators are not able to use HTTP Connector or LDAP Query in API Protection policies.
Administrators attempt to use HTTP Connector or LDAP Query in an API Protection type access policy.
None
Starting with 16.0, APM allows administrators to use HTTP Connector or LDAP Query inside of API Protection policies to make authorization decisions, greatly expanding the flexibility of APM's API Protection feature.