This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ProxyService. Do not pass the Authorization header to the web server

Hi,

We have a proxy service configured with basic authentication. The request is received with the HTTP Authorization header, NAM correctly authenticates the user, and passes the request to the Web server including the received HTTP Authorization header. We want to prevent the HTTP Authorization header from being forwarded. Is there a way to prevent it from being forwarded?
I have seen that there is an option that allows to prevent the XForwarded headers from being sent to the back-end web server (NAGAddProxyHeader off) Would there be something similar for the Authorization header?

Regards

Parents
  • 0  

    Hi!

    I assume this is because you don't want to leak username/password information to backend application.

    What if you create identity injection policy to inject some static value into authentication header for backend application, like this?

    Application will sill get authentication header, but you will not reveal actual username and password.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Reply
  • 0  

    Hi!

    I assume this is because you don't want to leak username/password information to backend application.

    What if you create identity injection policy to inject some static value into authentication header for backend application, like this?

    Application will sill get authentication header, but you will not reveal actual username and password.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Children
  • 0 in reply to   

    Hi,

    It's not just about not wanting to leak username/password.

    The problem is the following:
    We have an MFA (NAAF) that in the latest versions does not allow sending SMS without authentication.
    The SMS gateway service is a JSP running on top of WebLogic that does not require authentication.
    To solve the problem, we put NAM in the middle acting as a proxy for the SMS gateway, so that the authentication required by NAAF is performed against a NAM basic authentication contract with an Authentication Procedure for Non-Redirected Login.
    Weblogic intercepts the call and seeing that it contains an Authorization header, it returns a 401. If the same call is made without that header, the service responds correctly to the call by not requiring authentication.

    Regards