Hey Knox team…
I am curious about the location of the doAs indicator in the forwarded request
from Knox. Why is this a query parameter and not a request header, like
“X-DoAs”?
Some infrastructures do not play well when trying to parse the query parameters
in authentication filters (for example Spring). I have worked around my issue,
but in the infrastructure that I am using if you attempt to call
httpServletRequest.getParameter("doAs") in the authentication filter, the query
parameters and request body get eaten and appear to no longer be available to
the request handler code.
Aside from that, it seems like it would be more secure if the doAS value was in
the request header instead. For example it is encrypted when using SSL.
Can someone explain the reasoning behind placing doAs as a query parameter?
Is there any reason why it could not be a request header, aside from existing
code? Would it be possible for Knox to conditionally set the doAs value as a
query parameter or in the header based on some metadata about the service or
topology?
Thanks,
Rob
