Apache + SP HTTP reverse proxy to Weblogic

Cantor, Scott cantor.2 at osu.edu
Fri Nov 18 15:19:56 GMT 2011


On 11/18/11 10:12 AM, "Sykes, Andy" <a.sykes at ucl.ac.uk> wrote:
>
>So if I'm forced into the situation where I must use headers, then the
>SP's spoof-protection system is superior to just setting the headers by
>hand?

It's orthogonal. Setting the headers by hand doesn't have anything to do
with how you prevent them from being spoofed. The point is, WebLogic has
no such protection. No proxied server does. If you set headers in a proxy,
you are assuming that there is no access path from a client to the proxied
server other than by trusted clients.

The SP only does things to protect the headers because it has to for that
to be viable (and on IIS at the moment it's the only mechanism). With a
proxy, the assumption is that there are extant protections.

-- Scott



More information about the users mailing list