Monday, January 26, 2009

Fake Siteminder for Development Environment

If you want to build simple fake siteminder security for testing something like CAC authentication, put Apache in front of it (using mod_proxy), then try this in httpd.conf:

#Read the SM_USER cookie:
SetEnvIfNoCase Cookie sm_user=([^;]+) sm_user=$1
#Set SM_USER request header based on the cookie
RequestHeader set sm_user %{sm_user}e env=sm_user
#Repeat it as a response header for debugging
Header echo SM_USER

(make sure that you uncomment the mod_headers and mod_setenvif lines near the top of the config file).  After you restart apache and verify that you can get to your application, you can either set/edit the cookie SM_USER with the web developer toolbar or write some simple html and javascript to set the cookie based on a single form input.

This is much simpler than modifying your applications to use alternative authentication in dev/test/stage and has been working for me for years now for many similar programs to Siteminder that pass authentication information in request headers.

No comments: