tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien Terrestris <aterrest...@gmail.com>
Subject Re: AW: Suppress or replace WWW-Authorization header
Date Wed, 28 Oct 2015 15:45:26 GMT
You can choose between a pop-up or an HTML FORM

This one looks like this in web.xml :

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>webapp global realm</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error_login.jsp</form-error-page>
    </form-login-config>
  </login-config>




2015-10-28 16:28 GMT+01:00 Torsten Rieger <torsten.rieger@promatis.de>:

> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz [mailto:chris@christopherschultz.net]
> Gesendet: Mittwoch, 28. Oktober 2015 15:39
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: AW: Suppress or replace WWW-Authorization header
>
> Torsten,
>
> On 10/28/15 8:19 AM, Torsten Rieger wrote:
> > I have a legacy java-SOAP-client that only supports BASIC
> > authentication (send the Authorization: Basic... header) and a
> > AngularJS application that consumes a REST-service (also sending the
> > Authorization: Basic header).
> >
> > The server supports two kinds of deployment: Standalone with an
> > embedded Jetty-server and as war-file for app-servers (most of them
> > are tomcat-server). I try to suppress the browser BASIC-login-dialog
> > for the REST-service-calls from AngularJS.
> > On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
> > header by anything else than "BASIC" and that works, now I try to find
> > a solution for the deployment on tomcat servers.
> >
> > Rewrite (unset header in responses) with an apache proxy in front of
> > the tomcat is unfortunately not a solution I can implement.
> >
> > So I'm looking for a solution to remove or modify the headers in 401
> > responses on application server level.
>
> So you just want to disable HTTP BASIC authentication? Why not just remove
> the <auth-method> from web.xml and disable authentication entirely?
>
> Are you saying that when you connect using a REST client, the client shows
> a
> login dialog in a web browser? That sounds ... weird. The REST client
> should
> see the WWW-Authenticate header and either (a) fail or (b) re-try with
> credentials you have provided to it.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> No, container BASIC authentication should be enabled, the container should
> handle the authentication, but the browser should not show his ugly default
> login dialog when I request resources from the REST-service with wrong
> credentials.
> When the REST-client (web-application in the browser) receives a failed
> login with a WWW-Authenticate header, the default dialog of the browser
> will
> be shown... that’s what I want to suppress.
>
> When I remove the (a) <login-config> or (b) <auth-method>  sending requests
> with credentials will not work anymore (a: 403 forbidden; b: deployment
> fails). But that's not a solution because the rest-service should be still
> protected and I need to authenticate via "Authentication: Basic ....."
> header send credentials, but I don't want to show the ugly browser-dialog
> to
> the users.
>
> Using a AngularJS Client with REST-services based on tomcat should be a
> common use-case, it could not be that I'm the first one who wants a custom
> login-screen. :-/
>
> -torsten
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message