Hi Rob, I have not been active recently on knox. Response from committers who added the feature would have more weight. In many existing haddop eco sub system REST API, doas query parameter is used. They have set up an usage pattern and knox seems to follow that. Thanks Dilli
On Fri, Nov 16, 2018 at 8:33 AM Robert Levas <[email protected]> wrote: > Hey Knox team… > > I am curious about the location of the doAs indicator in the forwarded > request from Knox. Why is this a query parameter and not a request header, > like “X-DoAs”? > > Some infrastructures do not play well when trying to parse the query > parameters in authentication filters (for example Spring). I have worked > around my issue, but in the infrastructure that I am using if you attempt > to call httpServletRequest.getParameter("doAs") in the authentication > filter, the query parameters and request body get eaten and appear to no > longer be available to the request handler code. > > Aside from that, it seems like it would be more secure if the doAS value > was in the request header instead. For example it is encrypted when using > SSL. > > Can someone explain the reasoning behind placing doAs as a query > parameter? Is there any reason why it could not be a request header, > aside from existing code? Would it be possible for Knox to conditionally > set the doAs value as a query parameter or in the header based on some > metadata about the service or topology? > > Thanks, > > Rob > >
