W3C home > Mailing lists > Public > public-credentials@w3.org > April 2018

Signing HTTP Messages: Adding an optional username/principal to the signature

From: Graham Leggett <minfrin@sharp.fm>
Date: Wed, 11 Apr 2018 14:26:17 +0200
Message-Id: <3434A0FA-CA33-4CB8-B51E-32439BF73793@sharp.fm>
To: public-credentials@w3.org
Hi,

Right now today, one can configure a reverse proxy like Apache httpd to perform an authn/authz function, and then pass the request over the AJP protocol to a server like Apache tomcat, and in the process the username/principal is passed transparently from the reverse proxy to the application server.

I am looking for an RFC compliant way of doing this so I can use SSL on this back channel between reverse proxy and server, and have found https://tools.ietf.org/html/draft-cavage-http-signatures-09#ref-3.

The missing piece however is that while a request can be signed, it doesn’t seem possible to pass a username/principal along with this request.

Sure, this could be hacked by coming up with some non standard way of passing the principal in a non standard header, but ideally I’d like a module for Apache httpd to be able to sign the reverse proxied request and insert the optional principal if necessary, and have a filter in tomcat to verify the signatures and optional pass on the principal to the calling application, and have this “just work”, like AJP does today.

Is this something that has been considered for Signing HTTP Messages?

Regards,
Graham
—


Received on Wednesday, 11 April 2018 12:26:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:26 UTC