ShinyProxy behind a trusted authenticating proxy

[mattinbits]

I am planning to run ShinyProxy behind a reverse proxy which authenticates the user and makes the user's ID and group information available in HTTP headers added to the request. I think I can use authentication: none to instruct ShinyProxy to trust the incoming requests from the proxy, but ideally I would also like ShinyProxy to adopt the user and group information from the HTTP headers. This would allow, for example, to restrict access to different apps based on group membership.

Is this possible in the current version of ShinyProxy? If not, is it a feature that would be considered? I could look into contributing if there is consensus on the validity of the feature.

[LEDfan]

Hi

This is currently not possible. I think this is a common feature in other web-applications, so I do see the value of this. In addition it should be able to nicely integrate this in the existing code.

A PR implementing this is always welcome. Here are a few notes to get you started:

• you'll have to implement a custom IAuthenticationBackend. This is custom class of ContainerProxy.
• you'll have to add this class to the factory.
• in order to implement the login logic, I think you should create a OncePerRequestFilter which parses the headers and extract the necessary information from it. Then there are two options 1) you already create an Authentication object or 2) you add the information to the session of the user. I'm not sure which option is the best option, maybe this will become clear when actually implementing this option.
• in the custom authentication backend you add a custom AuthentiationProvider:

@Override
   public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder auth) throws Exception {
           auth.authenticationProvider(customAuthentcationProvider);        
   }

• in the custom customAuthentcationProvider you parse the contents of the headers (using the information obtained in the the filter). You than can create the final Authentication object and add this to the security context.
• check https://shout.setfive.com/2015/11/02/spring-boot-authentication-with-custom-http-header/ and https://www.marcobehler.com/guides/spring-security for more information

If you have something working (or you are stuck), you can open a PR and we can discuss the next steps. Good luck!

[raulbla]

Please have a look at openanalytics/containerproxy#81 and let me know if the approach may work.
I have tested it with apache as RP and it looks working.