-----Ursprüngliche Nachricht-----
Von: Aurélien Terrestris [mailto:aterrest...@gmail.com]
Gesendet: Mittwoch, 28. Oktober 2015 16:45
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: AW: Suppress or replace WWW-Authorization header
You can choose between a pop-up or an HTML FORM
This one looks like this in web.xml :
<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
2015-10-28 16:28 GMT+01:00 Torsten Rieger <torsten.rie...@promatis.de>:
> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Gesendet: Mittwoch, 28. Oktober 2015 15:39
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: AW: Suppress or replace WWW-Authorization header
>
> Torsten,
>
> On 10/28/15 8:19 AM, Torsten Rieger wrote:
> > I have a legacy java-SOAP-client that only supports BASIC
> > authentication (send the Authorization: Basic... header) and a
> > AngularJS application that consumes a REST-service (also sending the
> > Authorization: Basic header).
> >
> > The server supports two kinds of deployment: Standalone with an
> > embedded Jetty-server and as war-file for app-servers (most of them
> > are tomcat-server). I try to suppress the browser BASIC-login-dialog
> > for the REST-service-calls from AngularJS.
> > On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
> > header by anything else than "BASIC" and that works, now I try to
> > find a solution for the deployment on tomcat servers.
> >
> > Rewrite (unset header in responses) with an apache proxy in front of
> > the tomcat is unfortunately not a solution I can implement.
> >
> > So I'm looking for a solution to remove or modify the headers in 401
> > responses on application server level.
>
> So you just want to disable HTTP BASIC authentication? Why not just
> remove the <auth-method> from web.xml and disable authentication entirely?
>
> Are you saying that when you connect using a REST client, the client
> shows a login dialog in a web browser? That sounds ... weird. The REST
> client should see the WWW-Authenticate header and either (a) fail or
> (b) re-try with credentials you have provided to it.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> No, container BASIC authentication should be enabled, the container
> should handle the authentication, but the browser should not show his
> ugly default login dialog when I request resources from the
> REST-service with wrong credentials.
> When the REST-client (web-application in the browser) receives a
> failed login with a WWW-Authenticate header, the default dialog of the
> browser will be shown... that’s what I want to suppress.
>
> When I remove the (a) <login-config> or (b) <auth-method> sending
> requests with credentials will not work anymore (a: 403 forbidden; b:
> deployment fails). But that's not a solution because the rest-service
> should be still protected and I need to authenticate via "Authentication:
> Basic ....."
> header send credentials, but I don't want to show the ugly
> browser-dialog to the users.
>
> Using a AngularJS Client with REST-services based on tomcat should be
> a common use-case, it could not be that I'm the first one who wants a
> custom login-screen. :-/
>
> -torsten
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
The Problem is then, that login via "Authorization: BASIC xyz==" will not
work anymore... the legacy client is not able to handle FORM based login :-/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
