I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).

The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.

Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.

So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.

-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Gesendet: Mittwoch, 28. Oktober 2015 10:26
An: users@tomcat.apache.org
Betreff: Re: Suppress or replace WWW-Authorization header

Hi.

On 28.10.2015 09:36, Torsten Rieger wrote:
> Hi,
>
>
>
> I try to suppress the browser login-dialog on basic authentication
> (basic is a legacy requirement), how can I do that? Filters are called
> after login on the container, right?
>

I am not sure that I understand exactly what you mean here, and I certainly
do not understand
  the purpose of what you are trying to do, but here is some informaytion
that may help :

The general authentication logic in HTTP works (roughly) as follows :

1) the browser sends a request to the server, for some resource (HTML page
or else)
2) the server checks if access to the requested resource resource requires
authentication/authorization.
If not, go to 8
3) (if yes) : the server checks if the requesst already contains an
authentication of the required type, and if yes, if it is valid.
If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required)
to the browser, along with *the kind of authentication* required (this is
defined in the server configuration for that resource)
5) the browser obtains the required authentication credentials (in a way
which depends on the type of AAA required)
6) the browser repeats the request to the server, this time providing the
required credentials, in the form corresponding to what the server indicated
in (4).
7) back to (2) above.

8) the server returns the requested resource.

Now your case is apparently so that at step (4) above, the 401 response that
the server sends back to the browser, specifies "HTTP Basic" as the
requested form of authentication/credentials.
In such a case, the browser (all browsers), at step (5), *will* popup a
Basic authentication dialog, and there is nothing that you can do about it.
It is a behaviour that is built-in in all browsers, and it is what is
expected of them.
(In other words also, this dialog is not something that is sent by the
server, so you cannot "filter it out").

The only way to avoid such a dialog in the browser, is at the level of the
server, ensuring that the 401 responses do not specify "Basic" as the
requested authentication method.

If the above does not answer yopur question, please provide more details
about what you are trying to do, and the purpose of it.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to