Authentication Plugin - Passing Auth Header in Apache Proxy Pass

Hi everyone

We are looking to implement the Authentication Plugin to do our user level permissions on our embded Osimes Web Viewer. This requires you to pass through a TokenHttpHeader identifying the user.

What we are unable to figure out, is how to get the user identifier to the reverse proxy stage so that it can be set as a header on the request to the web viewer?

Passing a GET URL parameter is insecure as it exposes something the user can manipulate to retrieve sensitive information.

Any help/insight would appreciated.

Hi Deon,

I would say that you should probably use cookie to store a session token or anything that is identifying your user.
Using the whole cookie as the TokenHttpHeader is not a good idea since the whole cookie is changing a lot and can not be used as a whole.
So, in our Apache reverse-proxy, you should then extract the session token from your cookie and add it as a separate header.

I don’t know for Apache but for nginx, this can be done with something like (not tested):
proxy_set_header my-auth-header $http_cookie[“userSessionToken”];

Please also note that the current version of the viewer is not fully compatible with the authorization plugin. I have some work in progress for a long time there: https://bitbucket.org/osimis/osimis-webviewer-plugin/branch/am-http-headers. I’ll try to push it ahead.

Br

Alain

Hi Alain

Thanks for this.

We have found that specifying the header that stores the Symfony sessionID
enables the session to be restored on for the call the the WebService. Do
you think this is an acceptable way of doing it?

Yes, this looks like a good approach.