0 Replies Latest reply on Mar 27, 2014 11:04 PM by PMON

    HTTP Header Variable Authentication




      In our environment we allow users to authenticate via HTTP Header Variable Authentication and we fetch the value from SSL_CLIENT_S_DN_CN to get their username.  This value is populated by the Oracle Application Server after the user selects his client certificate.  I was just wondering how secure is this method?  Can a user potentially spoof the header variable SSL_CLIENT_S_DN_CN?  How can I protect against spoofing?