tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: AW: Suppress or replace WWW-Authorization header
Date Wed, 28 Oct 2015 19:24:30 GMT
Chris,

On 10/28/15 11:55 AM, chris derham wrote:
>> No, container BASIC authentication should be enabled, the container should
>> handle the authentication, but the browser should not show his ugly default
>> login dialog when I request resources from the REST-service with wrong
>> credentials.
>> When the REST-client (web-application in the browser) receives a failed
>> login with a WWW-Authenticate header, the default dialog of the browser will
>> be shown... that’s what I want to suppress.
>>
>> When I remove the (a) <login-config> or (b) <auth-method>  sending requests
>> with credentials will not work anymore (a: 403 forbidden; b: deployment
>> fails). But that's not a solution because the rest-service should be still
>> protected and I need to authenticate via "Authentication: Basic ....."
>> header send credentials, but I don't want to show the ugly browser-dialog to
>> the users.
>>
>> Using a AngularJS Client with REST-services based on tomcat should be a
>> common use-case, it could not be that I'm the first one who wants a custom
>> login-screen. :-/
>>
>> -torsten
> 
> Torsten,
> 
> Add an interceptor to AngularJS to detect the 401 and do whatever you
> want, e.g. redirect to a login page. Then when you have the
> credentials, submit to login rest api, get a token, and then make all
> other calls passing this token.
> 
> There are loads of examples on how to do this on the internet. This
> isn't tomcat specific.
> 
> function globalInterceptorResponse($injector, $q) {
>     return {
>         'response': function (response) {
>             return response;
>         },
>         'responseError': function (rejection) {
>             switch (rejection.status) {
> ...
>                 case 401:
>                     console.warn("Hit 401 - redirecting to login");
>                     window.location = '/login';
>                     break;
> ...
>                 default:
>                     console.warn(rejection);
>             }
>             return $q.reject(rejection);
>         }
>     };
> }
> globalInterceptorResponse.$inject = ['$injector', '$q'];
> 
> then in request config,
> 
> $httpProvider.interceptors.push(globalInterceptorResponse);

This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization, then
the original Filter would have worked.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message