Torsten, On 10/28/15 11:28 AM, Torsten Rieger wrote: > -----Ursprüngliche Nachricht----- > Von: Christopher Schultz [mailto:ch...@christopherschultz.net] > Gesendet: Mittwoch, 28. Oktober 2015 15:39 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: Re: AW: Suppress or replace WWW-Authorization header > > Torsten, > > On 10/28/15 8:19 AM, Torsten Rieger wrote: >> I have a legacy java-SOAP-client that only supports BASIC >> authentication (send the Authorization: Basic... header) and a >> AngularJS application that consumes a REST-service (also sending the >> Authorization: Basic header). >> >> The server supports two kinds of deployment: Standalone with an >> embedded Jetty-server and as war-file for app-servers (most of them >> are tomcat-server). I try to suppress the browser BASIC-login-dialog >> for the REST-service-calls from AngularJS. >> On Jetty I modify the 401-responses and replace the "WWW-Authenticate" >> header by anything else than "BASIC" and that works, now I try to find >> a solution for the deployment on tomcat servers. >> >> Rewrite (unset header in responses) with an apache proxy in front of >> the tomcat is unfortunately not a solution I can implement. >> >> So I'm looking for a solution to remove or modify the headers in 401 >> responses on application server level. > > So you just want to disable HTTP BASIC authentication? Why not just remove > the <auth-method> from web.xml and disable authentication entirely? > > Are you saying that when you connect using a REST client, the client shows a > login dialog in a web browser? That sounds ... weird. The REST client should > see the WWW-Authenticate header and either (a) fail or (b) re-try with > credentials you have provided to it. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > No, container BASIC authentication should be enabled, the container should > handle the authentication, but the browser should not show his ugly default > login dialog when I request resources from the REST-service with wrong > credentials. > When the REST-client (web-application in the browser) receives a failed > login with a WWW-Authenticate header, the default dialog of the browser will > be shown... that’s what I want to suppress. > > When I remove the (a) <login-config> or (b) <auth-method> sending requests > with credentials will not work anymore (a: 403 forbidden; b: deployment > fails). But that's not a solution because the rest-service should be still > protected and I need to authenticate via "Authentication: Basic ....." > header send credentials, but I don't want to show the ugly browser-dialog to > the users. > > Using a AngularJS Client with REST-services based on tomcat should be a > common use-case, it could not be that I'm the first one who wants a custom > login-screen. :-/
How does your application know when the WWW-Authenticate header is okay to remove from the response? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
