I have a Java frontend application that connects to GSA for search results. GSA is configured to use cookie cracker from this application frontend.
In general, Java applications can override getRemoteUser() and return a username being the user in session. In development we can then impersonate another user through this method and search for results in Production as that user.
It looks like a security breach in this sense. Can anyone advise if this is an ill design and is there any recommended solution to it?
When you use cookie cracking, you are trusting that your application is well written and not trying to break security.
If an end-user can change the header information, that would be a security breach. If the developer of the search application can impersonate someone that is less of a security breach and more of an issue to deal with the developer, in my opinion. If the GSA Admin does not trust the developer then they should not implement cookie cracking as the solution.