We have a scenario where Siteminder agent is doing Silent Basic Authentication where App1 is a calling system and App2 is where SM Agent is doing basic authentication.
The calling system(App1) sends cookie "SMCHALLENGE = "YES" and header "AUTHORIZATION : Basic <user base 64 encoded credentials>" to App2 having SM Agent.
Silent Authentication works fine. Once user credentials are processed, SMCHALLENGE cookie is deleted by SM Agent on App2.
But AUTHORIZATION header still remains i.e., not deleted by SM Agent and this header gets fwd further to backend app server from App2.
Is there any way to suppress "AUTHORIZATION" header by SM Agent , so that it does not reach to back end app server?
I have same query. Can somebody provide their inputs.
Hi GoyalNeha and Rahilanikhat,
From what I understand, you mean the
Authorization: Basic QWxjZGRpgjsVog ...
header we can find in the browser request header.
This header cannot be removed from the Web Agent.
You might set and Idea on the security page
in order to get this functionality in the Web Agent
in futur releases :
Also note that depending the Web Server version you run,
you may disable this header at the Web Server level,
as such as :
Allow from all
AuthName "Authorized Users Only"
RequestHeader unset Authorization
ProxyPass / http://localhost:5984/ example
ProxyPassReverse / http://localhost:5984/
CustomLog /var/log/apache2/something.example.com-access_log common