Symantec Access Management

  • 1.  Can HTTP_AUTHORIZATION Header be suppressed at Siteminder end.

    Posted Apr 22, 2016 07:10 AM

    Hi There,

     

    We have a scenario where Siteminder agent is doing Silent Basic Authentication where App1 is a calling system and App2 is where SM Agent is doing basic authentication.

    The calling system(App1) sends cookie "SMCHALLENGE = "YES" and header "AUTHORIZATION : Basic <user base 64 encoded credentials>" to  App2 having SM Agent.

    Silent Authentication works fine. Once user credentials are processed, SMCHALLENGE cookie is deleted by SM Agent on App2.

    But AUTHORIZATION header still remains i.e., not deleted by SM Agent and this header gets fwd further to backend app server from App2.

    Is there any way to suppress "AUTHORIZATION" header by SM Agent , so that it does not reach to back end app server?

     

    Thanks,

    Neha



  • 2.  Re: Can HTTP_AUTHORIZATION Header be suppressed at Siteminder end.

    Posted Apr 22, 2016 01:23 PM

    Hi Team,

     

    I have same query. Can somebody provide their inputs.

     

    Thanks.



  • 3.  Re: Can HTTP_AUTHORIZATION Header be suppressed at Siteminder end.
    Best Answer

    Broadcom Employee
    Posted Apr 26, 2016 08:58 AM

    Hi GoyalNeha and Rahilanikhat,

     

    From what I understand, you mean the

     

      Authorization: Basic QWxjZGRpgjsVog ...

     

    header we can find in the browser request header.

    This header cannot be removed from the Web Agent.

    You might set and Idea on the security page

    in order to get this functionality in the Web Agent

    in futur releases :

     

       https://communities.ca.com/message/241729406

     

    Also note that depending the Web Server version you run,

    you may disable this header at the Web Server level,

    as such as :

     

      <VirtualHost *:80>

            ServerName something.example.com

            ServerAdmin admin@example.com

     

            ProxyRequests Off

            ProxyPreserveHost Off

            AllowEncodedSlashes On

            KeepAlive Off

     

            <Proxy *>

                Order deny,allow

                Allow from all

            </Proxy>

     

            <Location />

                    AuthType Basic

                    AuthName "Authorized Users Only"

                    AuthUserFile /etc/apache2/passwd

                    Require valid-user

            </Location>

     

            RequestHeader unset Authorization

            ProxyPass / http://localhost:5984/ example

            ProxyPassReverse / http://localhost:5984/

     

            ErrorLog /var/log/apache2/something.example.com-error_log

            CustomLog /var/log/apache2/something.example.com-access_log common

      </VirtualHost>

     

    http://stackoverflow.com/questions/4428903/remove-basic-authentication-header-with-apache-mod-proxy

     

    Best Regards,

    Patrick