tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat)>
Subject Re: AW: Suppress or replace WWW-Authorization header
Date Wed, 28 Oct 2015 14:45:13 GMT
On 28.10.2015 15:39, Christopher Schultz wrote:
> Torsten,
> On 10/28/15 8:19 AM, Torsten Rieger wrote:
>> I have a legacy java-SOAP-client that only supports BASIC authentication
>> (send the Authorization: Basic... header) and a AngularJS application that
>> consumes a REST-service (also sending the Authorization: Basic header).
>> The server supports two kinds of deployment: Standalone with an embedded
>> Jetty-server and as war-file for app-servers (most of them are
>> tomcat-server). I try to suppress the browser BASIC-login-dialog for the
>> REST-service-calls from AngularJS.
>> On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
>> header by anything else than "BASIC" and that works, now I try to find a
>> solution for the deployment on tomcat servers.
>> Rewrite (unset header in responses) with an apache proxy in front of the
>> tomcat is unfortunately not a solution I can implement.
>> So I'm looking for a solution to remove or modify the headers in 401
>> responses on application server level.
> So you just want to disable HTTP BASIC authentication? Why not just
> remove the <auth-method> from web.xml and disable authentication entirely?
> Are you saying that when you connect using a REST client, the client
> shows a login dialog in a web browser? That sounds ... weird. The REST
> client should see the WWW-Authenticate header and either (a) fail or (b)
> re-try with credentials you have provided to it.

Yes, but if the SOAP-client is an applet in the browser, chances are that in order to 
collect the user credentials that it needs, it uses the internal browser mechanism, which

pops up the dialog to obtain these user credentials.
So not so weird necessarily.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message