tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat)>
Subject Re: Suppress or replace WWW-Authorization header
Date Wed, 28 Oct 2015 09:25:44 GMT

On 28.10.2015 09:36, Torsten Rieger wrote:
> Hi,
> I try to suppress the browser login-dialog on basic authentication (basic
> is a legacy requirement), how can I do that? Filters are called after login
> on the container, right?

I am not sure that I understand exactly what you mean here, and I certainly do not understand
  the purpose of what you are trying to do, but here is some informaytion that may help :

The general authentication logic in HTTP works (roughly) as follows :

1) the browser sends a request to the server, for some resource (HTML page or else)
2) the server checks if access to the requested resource resource requires 
If not, go to 8
3) (if yes) : the server checks if the requesst already contains an authentication of the

required type, and if yes, if it is valid.
If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required) to the 
browser, along with *the kind of authentication* required (this is defined in the server 
configuration for that resource)
5) the browser obtains the required authentication credentials (in a way which depends on

the type of AAA required)
6) the browser repeats the request to the server, this time providing the required 
credentials, in the form corresponding to what the server indicated in (4).
7) back to (2) above.

8) the server returns the requested resource.

Now your case is apparently so that at step (4) above, the 401 response that the server 
sends back to the browser, specifies "HTTP Basic" as the requested form of 
In such a case, the browser (all browsers), at step (5), *will* popup a Basic 
authentication dialog, and there is nothing that you can do about it.  It is a behaviour 
that is built-in in all browsers, and it is what is expected of them.
(In other words also, this dialog is not something that is sent by the server, so you 
cannot "filter it out").

The only way to avoid such a dialog in the browser, is at the level of the server, 
ensuring that the 401 responses do not specify "Basic" as the requested authentication method.

If the above does not answer yopur question, please provide more details about what you 
are trying to do, and the purpose of it.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message