Logged In: YES 
user_id=4480

Yes, you're correct.  If a front-end proxy is being trusted
to authenticate, then this is the correct behaviour, but
otherwise it would be a nasty security hole.  I'll add a
config variable to enable trusting a front-end proxy to have
performed the authentication, in addition to integrating
with the patch from #1067690.  If you don't mind, I'll
re-open this and submit my patch here.  [I never noticed
your response because the e-mail address I had registered
with SF no longer worked; I've updated it and expect I will
now see any responses.]