Hi All. At the moment we are removing authorization headers from API request when it passes to actual back end (at gateway authorization handler). But for some use cases we need to just pass through gateway and allow actual back end to do authorization. In that case we can define that resource token type as none (no application or application user). Then gateway will skip authorization process but still it removes authorization headers if available. But ideally it shouldn't remove them as there is no actual authorization happens. Shall we go ahead and avoid removing security headers? WDYT?
Thanks. -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +14084122175 | +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
