Save proxy user identity in Channel Context after Proxy Authentication

[savas127]

After user authenticated to proxy, proxy-authorization header is removed from original message. This change can be useful to let creating different filters based on user in filter source.

[jekh]

Is there any way to achieve this without baking it into LP? I can envision certain use cases where this would be useful, but I'm not convinced that the use case is general enough to warrant setting an attribute on the context.

[savas127]

Well, I got the point but other solutions may have bigger impacts.

I think the best solution is changing ProxyAuthenticator interface. Then, other types of authentication methods (digest, NTLM) can be implemented in concrete ProxyAuthenticator classes and proxy can benefit session tokens.

boolean authenticate(HttpRequest request, ChannelHandlerContext ctx);

The solution that has minimal impact is disabling auth service and hendling authentication on HttpFilters. Unfortunately, auth headers get removed because of they are in SHOULD_NOT_PROXY_HOP_BY_HOP_HEADERS list.

[jekh]

Instead of using HttpFilters, could you use the ChainedProxy interface's filterRequest() method? That's how BMP adds authentication for chained proxies (example here).