khanhcongle
You're welcome!
I must admit that my knowledge of Axon Ivy 7 is pretty limited and rather vague after not having worked with it for some years, but the situation you cited still applies for Axon Ivy 10.
In the end, the engine reads the user from the header provided by your WAF.
The engine works as follows:
1) Read the user from the header
2) Look it up in the Security System - if it finds a match, you're authenticated.
That just means that if you are to access the engine directly (usually HTTP / HTTPS), you can just fake the header and authenticate as every user you like by modifying the header.
So you need to ensure that every traffic to Axon Ivy is coming through your proxy and never accessing the engine directly. The engine ports should be limited to accept only traffic from the WAF which requires the user to be authenticated.