Signing HTTP Messages: Adding an optional username/principal to the signature from Graham Leggett on 2018-04-11 (public-credentials@w3.org from April 2018)

From: Graham Leggett <minfrin@sharp.fm>
Date: Wed, 11 Apr 2018 14:26:17 +0200
To: public-credentials@w3.org
Message-Id: <3434A0FA-CA33-4CB8-B51E-32439BF73793@sharp.fm>

Hi,

Right now today, one can configure a reverse proxy like Apache httpd to perform an authn/authz function, and then pass the request over the AJP protocol to a server like Apache tomcat, and in the process the username/principal is passed transparently from the reverse proxy to the application server.

I am looking for an RFC compliant way of doing this so I can use SSL on this back channel between reverse proxy and server, and have found https://tools.ietf.org/html/draft-cavage-http-signatures-09#ref-3.

The missing piece however is that while a request can be signed, it doesn’t seem possible to pass a username/principal along with this request.

Sure, this could be hacked by coming up with some non standard way of passing the principal in a non standard header, but ideally I’d like a module for Apache httpd to be able to sign the reverse proxied request and insert the optional principal if necessary, and have a filter in tomcat to verify the signatures and optional pass on the principal to the calling application, and have this “just work”, like AJP does today.

Is this something that has been considered for Signing HTTP Messages?

Regards,
Graham
—

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Wednesday, 11 April 2018 12:26:45 UTC