Layer7 Access Management

Expand all | Collapse all

SPS to a back end with a basic authentication

Jump to Best Answer
  • 1.  SPS to a back end with a basic authentication

    Posted 04-12-2016 12:10 PM


    I have a back end server I need to proxy to and to include generic basic authentication credentials in addition to a user id header. The basic authentication is to prevent from accessing the back end server directly from intranet by spoofing user id header. Is it something I need to develop myself in a custom filter to push Authorization header?




  • 2.  Re: SPS to a back end with a basic authentication

    Posted 04-22-2016 06:05 AM

    Hi Vlad,


    By "basic authentication credentials" do you mean the header ?


       Authorization: Basic QAWEDsdrSdseesdsdeedscsaddewdsadsad==


    This is the credentials that basic authentication set in the header

    and as I recall, this header might be sent to the backend server.


    Best Regards,


  • 3.  Re: SPS to a back end with a basic authentication

    Posted 04-26-2016 08:59 PM

    Hi Vlad


    In rereading your request - this isn't exactly what you are after - but I will leave it hear since it is related and may be useful to others looking at similar topic.


    Generally for backend WWW Authentication :

    The setting you want on the proxyrules.xml file is :

    <forward connection-auth="yes">$0</forward>


    This will then propagate the normal HTML authenticate headers straight through as normal proxied request.


    Description of what happens:

    The reason you need the extra setting is because of the way NTLM authentication works.   When NTLM is used then NTLM autheticates the "connection" as belonging to the user.  So any other requests going down that socket to the backend are considered as also being from the same (authenticated) user.


    Obviously that is a real problem for a proxy if you are trying to run a pool of connections to the backend and want to pass different requests from different users along the same pool of connections.    Adding connection-auth="yes" means it will not use the normal backend pool of connections, but will use the connection oriented pool, which maintains individual sockets per authenticated user :


    <connection-pool name="connection oriented authentication">

        connection-timeout="10 seconds"





    Cheers - Mark

  • 4.  Re: SPS to a back end with a basic authentication
    Best Answer

    Posted 04-26-2016 10:02 PM

    Hi Vlad


    I expect your right the best way to add the Authenticate: line to the header will be via an SPS filter.  


    The following article (and sample code) should give you enough details to be able to implement that sort of filter :


    Adding X-Forwarded-For header to CA Access Gateway (CA Secure Proxy Server)


    Cheers - Mark