tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat)>
Subject Re: AW: Suppress or replace WWW-Authorization header
Date Wed, 28 Oct 2015 13:05:44 GMT

on this list, as per  #6 ,
it is preferred if you respond below the question being asked (or the previous response) 
rather than on top.
(The main reason being that it is easier that way to follow the normal gist of the 
conversation, rather than having to scroll back and forth to figure out what you are 
responding to.)

On 28.10.2015 13:19, Torsten Rieger wrote:
> I have a legacy java-SOAP-client that only supports BASIC authentication
> (send the Authorization: Basic... header) and a AngularJS application that
> consumes a REST-service (also sending the Authorization: Basic header).
> The server supports two kinds of deployment: Standalone with an embedded
> Jetty-server and as war-file for app-servers (most of them are
> tomcat-server). I try to suppress the browser BASIC-login-dialog for the
> REST-service-calls from AngularJS.
> On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
> header by anything else than "BASIC" and that works, now I try to find a
> solution for the deployment on tomcat servers.

Can you copy and paste here the WEB-INF/web.xml of that server application ?
(remove any sensitive data).

There is probably a way to do this via configuration in Tomcat (I haven't looked it up), 
but you could also have a look at a standard workhorse for this kind of thing : the 
UrlRewriteFilter ( It might provide a way to do this.
(I have not really checked it either, but this looks promising :
See the <set> response-header part.

> Rewrite (unset header in responses) with an apache proxy in front of the
> tomcat is unfortunately not a solution I can implement.
> So I'm looking for a solution to remove or modify the headers in 401
> responses on application server level.

One thing which is still not clear : do you really want to remove/replace that header, or

do you just want that this application would not request authentication at all ?
(Then there would be no need to play with the 401 header, because there would never be one).

> -----Ursprüngliche Nachricht-----
> Von: André Warnier (tomcat) []
> Gesendet: Mittwoch, 28. Oktober 2015 10:26
> An:
> Betreff: Re: Suppress or replace WWW-Authorization header
> Hi.
> On 28.10.2015 09:36, Torsten Rieger wrote:
>> Hi,
>> I try to suppress the browser login-dialog on basic authentication
>> (basic is a legacy requirement), how can I do that? Filters are called
>> after login on the container, right?
> I am not sure that I understand exactly what you mean here, and I certainly
> do not understand
>    the purpose of what you are trying to do, but here is some informaytion
> that may help :
> The general authentication logic in HTTP works (roughly) as follows :
> 1) the browser sends a request to the server, for some resource (HTML page
> or else)
> 2) the server checks if access to the requested resource resource requires
> authentication/authorization.
> If not, go to 8
> 3) (if yes) : the server checks if the requesst already contains an
> authentication of the required type, and if yes, if it is valid.
> If yes, go to 8
> 4) (if not) : the server returns a status code 401 (authorization required)
> to the browser, along with *the kind of authentication* required (this is
> defined in the server configuration for that resource)
> 5) the browser obtains the required authentication credentials (in a way
> which depends on the type of AAA required)
> 6) the browser repeats the request to the server, this time providing the
> required credentials, in the form corresponding to what the server indicated
> in (4).
> 7) back to (2) above.
> 8) the server returns the requested resource.
> Now your case is apparently so that at step (4) above, the 401 response that
> the server sends back to the browser, specifies "HTTP Basic" as the
> requested form of authentication/credentials.
> In such a case, the browser (all browsers), at step (5), *will* popup a
> Basic authentication dialog, and there is nothing that you can do about it.
> It is a behaviour that is built-in in all browsers, and it is what is
> expected of them.
> (In other words also, this dialog is not something that is sent by the
> server, so you cannot "filter it out").
> The only way to avoid such a dialog in the browser, is at the level of the
> server, ensuring that the 401 responses do not specify "Basic" as the
> requested authentication method.
> If the above does not answer yopur question, please provide more details
> about what you are trying to do, and the purpose of it.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message