locked
UAG stripping authorization header RRS feed

  • Question

  • I published a RESTful AJAX app that uses a custom authorization scheme and enabled SSO.  The login page is an HTML form that grabs credentials and puts them into a custom authorization HTTP header and sends the request back to the server - the form does not POST with form data in the body of the HTTP request.  I can get UAG to inject credentials into the login form and do an autosubmit, but when the form is submitted and an AJAX request is sent with the user credentials, UAG strips out the Authorization header and authentication fails.  If I use AppWrap to add an Authorization header with the right value (value is static), UAG still strips the header.  I've tried using both "HTML form" and "Both" in the application authentication tab but the header still gets stripped, even though trace gives me different reasons why.  The only thing I need to finish this app off is to preserve or re-inject this header in the HTTP traffic - any ideas on how to do this?


    Here are the authentication headers used for initial login:

    Authorization: my_authentication_scheme profile="my_authentication_profile"
    X-custom-auth: username=my_username, password=my_password


    When the app is published using "Both" for authentication, trace gives me the following message:

    Info:Authorization header(s) will be removed as a 401 rule exists for this application (Cortext). (PFC=000000000D1F2BE8)

    When I use "HTML form" for authentication, trace says:

    Info:Client Authorization header was detected with SSO congiguration. Discard the header

    Any ideas? 





    • Edited by Bryan2012 Monday, June 11, 2012 7:42 PM
    Monday, June 11, 2012 7:39 PM

Answers

All replies