-----Ursprüngliche Nachricht----- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 28. Oktober 2015 15:39 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten, On 10/28/15 8:19 AM, Torsten Rieger wrote: > I have a legacy java-SOAP-client that only supports BASIC > authentication (send the Authorization: Basic... header) and a > AngularJS application that consumes a REST-service (also sending the > Authorization: Basic header). > > The server supports two kinds of deployment: Standalone with an > embedded Jetty-server and as war-file for app-servers (most of them > are tomcat-server). I try to suppress the browser BASIC-login-dialog > for the REST-service-calls from AngularJS. > On Jetty I modify the 401-responses and replace the "WWW-Authenticate" > header by anything else than "BASIC" and that works, now I try to find > a solution for the deployment on tomcat servers. > > Rewrite (unset header in responses) with an apache proxy in front of > the tomcat is unfortunately not a solution I can implement. > > So I'm looking for a solution to remove or modify the headers in 401 > responses on application server level. So you just want to disable HTTP BASIC authentication? Why not just remove the <auth-method> from web.xml and disable authentication entirely? Are you saying that when you connect using a REST client, the client shows a login dialog in a web browser? That sounds ... weird. The REST client should see the WWW-Authenticate header and either (a) fail or (b) re-try with credentials you have provided to it. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No, container BASIC authentication should be enabled, the container should handle the authentication, but the browser should not show his ugly default login dialog when I request resources from the REST-service with wrong credentials. When the REST-client (web-application in the browser) receives a failed login with a WWW-Authenticate header, the default dialog of the browser will be shown... that’s what I want to suppress. When I remove the (a) <login-config> or (b) <auth-method> sending requests with credentials will not work anymore (a: 403 forbidden; b: deployment fails). But that's not a solution because the rest-service should be still protected and I need to authenticate via "Authentication: Basic ....." header send credentials, but I don't want to show the ugly browser-dialog to the users. Using a AngularJS Client with REST-services based on tomcat should be a common use-case, it could not be that I'm the first one who wants a custom login-screen. :-/ -torsten --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
