tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Wang <>
Subject Re: AW: AW: Suppress or replace WWW-Authorization header
Date Wed, 28 Oct 2015 17:49:13 GMT

On 10/28/2015 12:04 PM, André Warnier (tomcat) wrote:
>>>> The server supports two kinds of deployment: Standalone with an
>>>> embedded Jetty-server and as war-file for app-servers (most of them
>>>> are tomcat-server). I try to suppress the browser BASIC-login-dialog
>>>> for the REST-service-calls from AngularJS.
>>>> On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
>>>> header by anything else than "BASIC" and that works, now I try to
>>>> find a solution for the deployment on tomcat servers.

[.. snipped ..]

> 1) if the server sends to the client an authentication header saying
> HTTP Basic, then the client will popup a builtin HTTP Basic dialog
> (which you do not want)
> 2) if the server sends to the client an authentication header saying
> something else, then the client cannot handle it
> 1 + 2 = solution impossible
> You mentioned before that with another server than Tomcat, you solved
> this apparently impossible problem.  Can you tell us how ?
> Or else, can you tell us which authentication methods, /apart/ from HTTP
> Basic, the client does support ?

I've seen the behavior that Torsten is attempting to achieve, but I 
think the issue is a fundamental lack of understanding of the protocol 
on his part.  This is assuming I'm understanding what he's trying to get at.

He's saying that in a regular http basic 401 exchange, if you remove the 
WWW-Authenticate header, it will actually prevent the some clients from 
popping up a dialog. I've seen this before with some clients.  I'm not 
sure if all clients react this way.  The hold HTTPClient (not the apache 
commons one, but one hosted on a .cz domain?  something like that.  This 
is along long time ago) had that behavior.  I admit I've never seen that 
behavior in a browser but never tried.

RFC 2617 states this:
The 401 (Unauthorized) response message is used by an origin server
    to challenge the authorization of a user agent. This response MUST
    include a WWW-Authenticate header field containing at least one
    challenge applicable to the requested resource.

I don't think it's unreasonable to assume state that tomcat (or just 
about any standards compliant web server) when serving up HTTP Basic 
authentication will provide a complete and valid response and nothing else.

I may be misunderstanding, but my interpretation is Torsten simply wants 
the client handling the RESTful service to never have to be accidentally 
prompted to authenticate.  If it screwed up and didn't send an 
Authorization header to begin with, then skip the www-authenticate 
header and hide the failure from the user.

If this is the case, I know of no way to do this short of
a) an intermediate proxy doing the work
b) creating your own authentication handler in tomcat to detect your 
user-agent and spit back custom 401 responses depending on the agent.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message