Hi Bertrand, Thanks for your response! I appreciate your help.
On Tuesday, February 28, 2017 6:33 AM, Bertrand Delacretaz <[email protected]> wrote: > Hi John, > > On Mon, Feb 27, 2017 at 10:11 PM, John Logan <[email protected]> wrote: > > ...I receive 302 if the curl request includes the user agent, and > > 401 otherwise.... > > AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this decision. > Agreed, I came across that code while investigating this. > > I don't think this helps for browser AJAX requests, though... > > You might be able to tweak your request to work around this, based on > that source code? > > Or maybe catch the 302 response and implement the behavior that you need. > Neither modifying the User-Agent header nor trying to identify a redirect is really clean from an AJAX or REST services perspective. I was hoping that there was some way to implement an endpoint in Sling that provided a pure data service that could be used by a browser-based app. The form-based authentication handler anticipated this need for login requests with its "j_validate" parameter, but I don't see a way for other servlets to provide similar behavior. I suppose that a minimally invasive approach would be to modify the isBrowserRequest() method to detect a custom header that has priority over the user agent test. Adding a header to an AJAX request would be much cleaner than modifying the User-Agent header in the browser navigator object. Is that something that would be best discussed in a JIRA request rather than here? > -Bertrand > > [1] > https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java
