Discussion:
Suppress or replace WWW-Authorization header
Torsten Rieger
2015-10-28 08:36:58 UTC
Permalink
Hi,



I try to suppress the browser login-dialog on basic authentication (basic
is a legacy requirement), how can I do that? Filters are called after login
on the container, right?



Regards,

Torsten
André Warnier (tomcat)
2015-10-28 09:25:44 UTC
Permalink
Hi.
Post by Torsten Rieger
Hi,
I try to suppress the browser login-dialog on basic authentication (basic
is a legacy requirement), how can I do that? Filters are called after login
on the container, right?
I am not sure that I understand exactly what you mean here, and I certainly do not understand
the purpose of what you are trying to do, but here is some informaytion that may help :

The general authentication logic in HTTP works (roughly) as follows :

1) the browser sends a request to the server, for some resource (HTML page or else)
2) the server checks if access to the requested resource resource requires
authentication/authorization.
If not, go to 8
3) (if yes) : the server checks if the requesst already contains an authentication of the
required type, and if yes, if it is valid.
If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required) to the
browser, along with *the kind of authentication* required (this is defined in the server
configuration for that resource)
5) the browser obtains the required authentication credentials (in a way which depends on
the type of AAA required)
6) the browser repeats the request to the server, this time providing the required
credentials, in the form corresponding to what the server indicated in (4).
7) back to (2) above.

8) the server returns the requested resource.

Now your case is apparently so that at step (4) above, the 401 response that the server
sends back to the browser, specifies "HTTP Basic" as the requested form of
authentication/credentials.
In such a case, the browser (all browsers), at step (5), *will* popup a Basic
authentication dialog, and there is nothing that you can do about it. It is a behaviour
that is built-in in all browsers, and it is what is expected of them.
(In other words also, this dialog is not something that is sent by the server, so you
cannot "filter it out").

The only way to avoid such a dialog in the browser, is at the level of the server,
ensuring that the 401 responses do not specify "Basic" as the requested authentication method.

If the above does not answer yopur question, please provide more details about what you
are trying to do, and the purpose of it.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Torsten Rieger
2015-10-28 12:19:03 UTC
Permalink
I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).

The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.

Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.

So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.

-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat) [mailto:***@ice-sa.com]
Gesendet: Mittwoch, 28. Oktober 2015 10:26
An: ***@tomcat.apache.org
Betreff: Re: Suppress or replace WWW-Authorization header

Hi.
Post by Torsten Rieger
Hi,
I try to suppress the browser login-dialog on basic authentication
(basic is a legacy requirement), how can I do that? Filters are called
after login on the container, right?
I am not sure that I understand exactly what you mean here, and I certainly
do not understand
the purpose of what you are trying to do, but here is some informaytion
that may help :

The general authentication logic in HTTP works (roughly) as follows :

1) the browser sends a request to the server, for some resource (HTML page
or else)
2) the server checks if access to the requested resource resource requires
authentication/authorization.
If not, go to 8
3) (if yes) : the server checks if the requesst already contains an
authentication of the required type, and if yes, if it is valid.
If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required)
to the browser, along with *the kind of authentication* required (this is
defined in the server configuration for that resource)
5) the browser obtains the required authentication credentials (in a way
which depends on the type of AAA required)
6) the browser repeats the request to the server, this time providing the
required credentials, in the form corresponding to what the server indicated
in (4).
7) back to (2) above.

8) the server returns the requested resource.

Now your case is apparently so that at step (4) above, the 401 response that
the server sends back to the browser, specifies "HTTP Basic" as the
requested form of authentication/credentials.
In such a case, the browser (all browsers), at step (5), *will* popup a
Basic authentication dialog, and there is nothing that you can do about it.
It is a behaviour that is built-in in all browsers, and it is what is
expected of them.
(In other words also, this dialog is not something that is sent by the
server, so you cannot "filter it out").

The only way to avoid such a dialog in the browser, is at the level of the
server, ensuring that the 401 responses do not specify "Basic" as the
requested authentication method.

If the above does not answer yopur question, please provide more details
about what you are trying to do, and the purpose of it.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
André Warnier (tomcat)
2015-10-28 13:05:44 UTC
Permalink
Hi.

on this list, as per http://tomcat.apache.org/lists.html#tomcat-users #6 ,
it is preferred if you respond below the question being asked (or the previous response)
rather than on top.
(The main reason being that it is easier that way to follow the normal gist of the
conversation, rather than having to scroll back and forth to figure out what you are
responding to.)
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.
Can you copy and paste here the WEB-INF/web.xml of that server application ?
(remove any sensitive data).

There is probably a way to do this via configuration in Tomcat (I haven't looked it up),
but you could also have a look at a standard workhorse for this kind of thing : the
UrlRewriteFilter (http://tuckey.org/urlrewrite/). It might provide a way to do this.
(I have not really checked it either, but this looks promising :
http://cdn.rawgit.com/paultuckey/urlrewritefilter/master/src/doc/manual/4.0/index.html#outbound-rule
See the <set> response-header part.
)
Post by Torsten Rieger
Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
One thing which is still not clear : do you really want to remove/replace that header, or
do you just want that this application would not request authentication at all ?
(Then there would be no need to play with the 401 header, because there would never be one).
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 10:26
Betreff: Re: Suppress or replace WWW-Authorization header
Hi.
Post by Torsten Rieger
Hi,
I try to suppress the browser login-dialog on basic authentication
(basic is a legacy requirement), how can I do that? Filters are called
after login on the container, right?
I am not sure that I understand exactly what you mean here, and I certainly
do not understand
1) the browser sends a request to the server, for some resource (HTML page or else)
2) the server checks if access to the requested resource resource requires
authentication/authorization.
If not, go to 8
3) (if yes) : the server checks if the requesst already contains an
authentication of the required type, and if yes, if it is valid.
If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required)
to the browser, along with *the kind of authentication* required (this is
defined in the server configuration for that resource)
5) the browser obtains the required authentication credentials (in a way
which depends on the type of AAA required)
6) the browser repeats the request to the server, this time providing the
required credentials, in the form corresponding to what the server indicated
in (4).
7) back to (2) above.
8) the server returns the requested resource.
Now your case is apparently so that at step (4) above, the 401 response that
the server sends back to the browser, specifies "HTTP Basic" as the
requested form of authentication/credentials.
In such a case, the browser (all browsers), at step (5), *will* popup a
Basic authentication dialog, and there is nothing that you can do about it.
It is a behaviour that is built-in in all browsers, and it is what is
expected of them.
(In other words also, this dialog is not something that is sent by the
server, so you cannot "filter it out").
The only way to avoid such a dialog in the browser, is at the level of the
server, ensuring that the 401 responses do not specify "Basic" as the
requested authentication method.
If the above does not answer yopur question, please provide more details
about what you are trying to do, and the purpose of it.
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2015-10-28 14:39:20 UTC
Permalink
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?

Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or (b)
re-try with credentials you have provided to it.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
André Warnier (tomcat)
2015-10-28 14:45:13 UTC
Permalink
Post by Christopher Schultz
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or (b)
re-try with credentials you have provided to it.
Yes, but if the SOAP-client is an applet in the browser, chances are that in order to
collect the user credentials that it needs, it uses the internal browser mechanism, which
pops up the dialog to obtain these user credentials.
So not so weird necessarily.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Torsten Rieger
2015-10-28 15:28:25 UTC
Permalink
-----Ursprüngliche Nachricht-----
Von: Christopher Schultz [mailto:***@christopherschultz.net]
Gesendet: Mittwoch, 28. Oktober 2015 15:39
An: Tomcat Users List <***@tomcat.apache.org>
Betreff: Re: AW: Suppress or replace WWW-Authorization header

Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find
a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just remove
the <auth-method> from web.xml and disable authentication entirely?

Are you saying that when you connect using a REST client, the client shows a
login dialog in a web browser? That sounds ... weird. The REST client should
see the WWW-Authenticate header and either (a) fail or (b) re-try with
credentials you have provided to it.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.

When I remove the (a) <login-config> or (b) <auth-method> sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ....."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.

Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/

-torsten

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Aurélien Terrestris
2015-10-28 15:45:26 UTC
Permalink
You can choose between a pop-up or an HTML FORM

This one looks like this in web.xml :

<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
-----UrsprÃŒngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find
a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just remove
the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client shows a
login dialog in a web browser? That sounds ... weird. The REST client should
see the WWW-Authenticate header and either (a) fail or (b) re-try with
credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ....."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.
Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/
-torsten
---------------------------------------------------------------------
Torsten Rieger
2015-10-28 16:42:48 UTC
Permalink
-----Ursprüngliche Nachricht-----
Von: Aurélien Terrestris [mailto:***@gmail.com]
Gesendet: Mittwoch, 28. Oktober 2015 16:45
An: Tomcat Users List <***@tomcat.apache.org>
Betreff: Re: AW: Suppress or replace WWW-Authorization header

You can choose between a pop-up or an HTML FORM

This one looks like this in web.xml :

<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or
(b) re-try with credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container
should handle the authentication, but the browser should not show his
ugly default login dialog when I request resources from the
REST-service with wrong credentials.
When the REST-client (web-application in the browser) receives a
failed login with a WWW-Authenticate header, the default dialog of the
browser will be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending
deployment fails). But that's not a solution because the rest-service
Basic ....."
header send credentials, but I don't want to show the ugly
browser-dialog to the users.
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/
-torsten
---------------------------------------------------------------------
The Problem is then, that login via "Authorization: BASIC xyz==" will not
work anymore... the legacy client is not able to handle FORM based login :-/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
André Warnier (tomcat)
2015-10-28 17:04:31 UTC
Permalink
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 16:45
Betreff: Re: AW: Suppress or replace WWW-Authorization header
You can choose between a pop-up or an HTML FORM
<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or
(b) re-try with credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container
should handle the authentication, but the browser should not show his
ugly default login dialog when I request resources from the
REST-service with wrong credentials.
When the REST-client (web-application in the browser) receives a
failed login with a WWW-Authenticate header, the default dialog of the
browser will be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending
deployment fails). But that's not a solution because the rest-service
Basic ....."
header send credentials, but I don't want to show the ugly
browser-dialog to the users.
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/
Torsten,
the people answering on this list are generally competent and helpful.
But they are not magicians. You seem (so far) to be asking something impossible.
1) if the server sends to the client an authentication header saying HTTP Basic, then the
client will popup a builtin HTTP Basic dialog (which you do not want)
2) if the server sends to the client an authentication header saying something else, then
the client cannot handle it

1 + 2 = solution impossible

You mentioned before that with another server than Tomcat, you solved this apparently
impossible problem. Can you tell us how ?

Or else, can you tell us which authentication methods, /apart/ from HTTP Basic, the client
does support ?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Andy Wang
2015-10-28 17:49:13 UTC
Permalink
Post by André Warnier (tomcat)
Post by Torsten Rieger
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.
[.. snipped ..]
Post by André Warnier (tomcat)
1) if the server sends to the client an authentication header saying
HTTP Basic, then the client will popup a builtin HTTP Basic dialog
(which you do not want)
2) if the server sends to the client an authentication header saying
something else, then the client cannot handle it
1 + 2 = solution impossible
You mentioned before that with another server than Tomcat, you solved
this apparently impossible problem. Can you tell us how ?
Or else, can you tell us which authentication methods, /apart/ from HTTP
Basic, the client does support ?
I've seen the behavior that Torsten is attempting to achieve, but I
think the issue is a fundamental lack of understanding of the protocol
on his part. This is assuming I'm understanding what he's trying to get at.

He's saying that in a regular http basic 401 exchange, if you remove the
WWW-Authenticate header, it will actually prevent the some clients from
popping up a dialog. I've seen this before with some clients. I'm not
sure if all clients react this way. The hold HTTPClient (not the apache
commons one, but one hosted on a .cz domain? something like that. This
is along long time ago) had that behavior. I admit I've never seen that
behavior in a browser but never tried.

RFC 2617 states this:
The 401 (Unauthorized) response message is used by an origin server
to challenge the authorization of a user agent. This response MUST
include a WWW-Authenticate header field containing at least one
challenge applicable to the requested resource.

I don't think it's unreasonable to assume state that tomcat (or just
about any standards compliant web server) when serving up HTTP Basic
authentication will provide a complete and valid response and nothing else.

I may be misunderstanding, but my interpretation is Torsten simply wants
the client handling the RESTful service to never have to be accidentally
prompted to authenticate. If it screwed up and didn't send an
Authorization header to begin with, then skip the www-authenticate
header and hide the failure from the user.

If this is the case, I know of no way to do this short of
a) an intermediate proxy doing the work
b) creating your own authentication handler in tomcat to detect your
user-agent and spit back custom 401 responses depending on the agent.

Andy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
George Stanchev
2015-10-28 18:04:16 UTC
Permalink
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 16:45
Betreff: Re: AW: Suppress or replace WWW-Authorization header
You can choose between a pop-up or an HTML FORM
<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The
REST client should see the WWW-Authenticate header and either (a)
fail or
(b) re-try with credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container
should handle the authentication, but the browser should not show his
ugly default login dialog when I request resources from the
REST-service with wrong credentials.
When the REST-client (web-application in the browser) receives a
failed login with a WWW-Authenticate header, the default dialog of
the browser will be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending
deployment fails). But that's not a solution because the rest-service
Basic ....."
header send credentials, but I don't want to show the ugly
browser-dialog to the users.
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/
<quote>
Torsten,
the people answering on this list are generally competent and helpful.
But they are not magicians. You seem (so far) to be asking something impossible.
1) if the server sends to the client an authentication header saying HTTP Basic, then the client will popup a builtin HTTP Basic dialog (which you do not want)
2) if the server sends to the client an authentication header saying something else, then the client cannot handle it

1 + 2 = solution impossible

You mentioned before that with another server than Tomcat, you solved this apparently impossible problem. Can you tell us how ?

Or else, can you tell us which authentication methods, /apart/ from HTTP Basic, the client does support ?
</quote>

Perhaps the OP wants this page [1]. It describes a technique which appears to do what he wants.

George


[1] https://www.freelock.com/2008/06/technical-note-http-auth-with-ajax

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m
André Warnier (tomcat)
2015-10-28 19:41:30 UTC
Permalink
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 16:45
Betreff: Re: AW: Suppress or replace WWW-Authorization header
You can choose between a pop-up or an HTML FORM
<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or
(b) re-try with credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container
should handle the authentication, but the browser should not show his
ugly default login dialog when I request resources from the
REST-service with wrong credentials.
When the REST-client (web-application in the browser) receives a
failed login with a WWW-Authenticate header, the default dialog of the
browser will be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending
deployment fails). But that's not a solution because the rest-service
Basic ....."
header send credentials, but I don't want to show the ugly
browser-dialog to the users.
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/
-torsten
The Problem is then, that login via "Authorization: BASIC xyz==" will not
work anymore... the legacy client is not able to handle FORM based login :-/
Torsten, let me try again another way :

1)
Post by Torsten Rieger
Post by Torsten Rieger
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/
No, you probably are not. But *this has nothing to do with Tomcat per se*.
Any other webserver, in the same circumstances, would send a 401 back, with a request for
HTTP Basic authentication.
If, at the server level, you configure that for this application, you want HTTP Basic
authentication, then that is what you will get. It is not a choice of the server, it is
something *imposed* by the HTTP protocol.

If you want something else to happen, but still have the client be authenticated for that
application, then you have to change the authentication method required, at the server
level. No way around it.

2) If the browser receives a 401 response header which indicates that the requested
authentication method should be HTTP Basic, then it will popup its bultin HTTP Basic
authentication popup dialog. There is no easy way around this either, because this
behaviour is built-in into the code of all major browsers.
(Also because the HTTP protocol says that this is what the browser should do).
If you want this to be different, then you have to find a way to modify the browser-side
logic, so that it does not do that. Doing this is possible, but not easy (see some of the
other responses), and if not done correctly, it will be buggy and/or introduce security
issues.

3) all the responses which I have seen so far on this thread, are technically correct
considering the information which you have provided as to what you would like, and what
your client-side application can/cannot do.
But maybe here, we were all seeing the tree that you put in front of us, and for that
reason not seeing the forest behind it.

4) Setting the server-side to do authentication in a different way than HTTP Basic, does
not necessarily mean that your application cannot, overall, be authenticated.

The REST application on the server, presumably, does not care *how* the user is
authenticated. It just wants an authenticated user, no matter how that happens.
It gets the user-id from Tomcat (via request.getUser() or similar), *after* Tomcat has
taken care of the authentication. The way in which Tomcat obtains this user-id is not the
concern of the application. (At least, that is what a well-behaved application would do).

5) So let's do the authentication in another way, so that the client never even sees a 401
response from the server, and thus never pops up this dialog that you do not want to see.

At the server level, use the form-based authentication, like another poster here already
suggested.
What would happen then is as follows :

a) the browser sends a first request to the REST app, un-authenticated.
b) the server sees that this is not authenticated, and sends back to the browser, a login
form. Note that this is just a html page, that has nothing to do with the client-side
application. (Note : you create this login form, and save it on the server.
You just need to tell the server (in the web.xml of the REST application) where this login
form is.)
c) the human client fills-in the login form, and his browser posts it back to the server.
This goes to another URL on the server (e.g. "/login"), that is *not* the REST application.
d) on the server, the login application at "/login" authenticates the user and creates a
session, where this authenticated user-id is stored. It also sets the authenticated
user-id in the Tomcat request structure, for later usage.
The login application also prepares a "session-id" cookie, to be sent back to the browser
(later), which points to this saved session on the server.
e) The login application now redirects the browser, to the original URL that it was
requesting, before all this authentication stuff took place.
That is the REST application.
f) now the REST application gets called, and it can retrieve the user-id from Tomcat, as
promised. So it does its work, and sends back the response to the browser.
(Notice that there has never been a 401 response so far)
g) the browser gets the 1st response from the REST application. It also gets, at the same
time, the session-id cookie that was added by the authentication part.
h) if the browser now sends a second request to the REST application, this session-id
cookie will be re-sent to the server also.
i) the server now gets the new request, and the cookie. The server uses the cookie to
retrieve the saved session, including the user-id in it. The server uses this to set the
internal Tomcat user-id, and calls the REST application again.
j) the REST application starts working, and retrieves the user-id from Tomcat. So it is
happy, and sends back the next response.
Tomcat takes care that with this next response, the session-id cookie header is sent again
to the browser.
k) the browser sends another request to the server. Go to (h) above.

Notice : still no 401 Basic response header anywhere, so no browser-side Basic auth popup.
Notice also : the client-side application is never really involved in the authentication.
So whatever it supports or not, is not relevant here.

Note that all the above supposes that the client application on the browser side, does not
need to know that it is authenticated. But that is normally the case for client-side
applications.

Last note : in the a-k explanation above, I have taken some liberties with the intimate
details of how things happen on the server. I hope that the purists will forgive this bit
of poetic and tutorial license. Hopefully, it should allow Torsten to get going along the
right track, instead of pursuing mirages.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Torsten Rieger
2015-10-30 22:33:07 UTC
Permalink
-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat) [mailto:***@ice-sa.com]
Gesendet: Mittwoch, 28. Oktober 2015 20:42
An: ***@tomcat.apache.org
Betreff: Re: AW: AW: Suppress or replace WWW-Authorization header
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 16:45
Betreff: Re: AW: Suppress or replace WWW-Authorization header
You can choose between a pop-up or an HTML FORM
<login-config>
<auth-method>FORM</auth-method>
<realm-name>webapp global realm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error_login.jsp</form-error-page>
</form-login-config>
</login-config>
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just
remove the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The
REST client should see the WWW-Authenticate header and either (a)
fail or
(b) re-try with credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container
should handle the authentication, but the browser should not show his
ugly default login dialog when I request resources from the
REST-service with wrong credentials.
When the REST-client (web-application in the browser) receives a
failed login with a WWW-Authenticate header, the default dialog of
the browser will be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending
deployment fails). But that's not a solution because the rest-service
Basic ....."
header send credentials, but I don't want to show the ugly
browser-dialog to the users.
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/
-torsten
The Problem is then, that login via "Authorization: BASIC xyz==" will
not work anymore... the legacy client is not able to handle FORM based
login :-/
Torsten, let me try again another way :

1)
Post by Torsten Rieger
Post by Torsten Rieger
Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a >>
custom login-screen. :-/

No, you probably are not. But *this has nothing to do with Tomcat per se*.
Any other webserver, in the same circumstances, would send a 401 back, with
a request for HTTP Basic authentication.
If, at the server level, you configure that for this application, you want
HTTP Basic authentication, then that is what you will get. It is not a
choice of the server, it is something *imposed* by the HTTP protocol.

If you want something else to happen, but still have the client be
authenticated for that application, then you have to change the
authentication method required, at the server level. No way around it.

2) If the browser receives a 401 response header which indicates that the
requested authentication method should be HTTP Basic, then it will popup its
bultin HTTP Basic authentication popup dialog. There is no easy way around
this either, because this behaviour is built-in into the code of all major
browsers.
(Also because the HTTP protocol says that this is what the browser should
do).
If you want this to be different, then you have to find a way to modify the
browser-side logic, so that it does not do that. Doing this is possible,
but not easy (see some of the other responses), and if not done correctly,
it will be buggy and/or introduce security issues.

3) all the responses which I have seen so far on this thread, are
technically correct considering the information which you have provided as
to what you would like, and what your client-side application can/cannot do.
But maybe here, we were all seeing the tree that you put in front of us, and
for that reason not seeing the forest behind it.

4) Setting the server-side to do authentication in a different way than HTTP
Basic, does not necessarily mean that your application cannot, overall, be
authenticated.

The REST application on the server, presumably, does not care *how* the user
is authenticated. It just wants an authenticated user, no matter how that
happens.
It gets the user-id from Tomcat (via request.getUser() or similar), *after*
Tomcat has taken care of the authentication. The way in which Tomcat
obtains this user-id is not the concern of the application. (At least, that
is what a well-behaved application would do).

5) So let's do the authentication in another way, so that the client never
even sees a 401 response from the server, and thus never pops up this dialog
that you do not want to see.

At the server level, use the form-based authentication, like another poster
here already suggested.
What would happen then is as follows :

a) the browser sends a first request to the REST app, un-authenticated.
b) the server sees that this is not authenticated, and sends back to the
browser, a login form. Note that this is just a html page, that has nothing
to do with the client-side application. (Note : you create this login form,
and save it on the server.
You just need to tell the server (in the web.xml of the REST application)
where this login form is.)
c) the human client fills-in the login form, and his browser posts it back
to the server.
This goes to another URL on the server (e.g. "/login"), that is *not* the
REST application.
d) on the server, the login application at "/login" authenticates the user
and creates a session, where this authenticated user-id is stored. It also
sets the authenticated user-id in the Tomcat request structure, for later
usage.
The login application also prepares a "session-id" cookie, to be sent back
to the browser (later), which points to this saved session on the server.
e) The login application now redirects the browser, to the original URL that
it was requesting, before all this authentication stuff took place.
That is the REST application.
f) now the REST application gets called, and it can retrieve the user-id
from Tomcat, as promised. So it does its work, and sends back the response
to the browser.
(Notice that there has never been a 401 response so far)
g) the browser gets the 1st response from the REST application. It also
gets, at the same time, the session-id cookie that was added by the
authentication part.
h) if the browser now sends a second request to the REST application, this
session-id cookie will be re-sent to the server also.
i) the server now gets the new request, and the cookie. The server uses the
cookie to retrieve the saved session, including the user-id in it. The
server uses this to set the internal Tomcat user-id, and calls the REST
application again.
j) the REST application starts working, and retrieves the user-id from
Tomcat. So it is happy, and sends back the next response.
Tomcat takes care that with this next response, the session-id cookie header
is sent again to the browser.
k) the browser sends another request to the server. Go to (h) above.

Notice : still no 401 Basic response header anywhere, so no browser-side
Basic auth popup.
Notice also : the client-side application is never really involved in the
authentication.
So whatever it supports or not, is not relevant here.

Note that all the above supposes that the client application on the browser
side, does not need to know that it is authenticated. But that is normally
the case for client-side applications.

Last note : in the a-k explanation above, I have taken some liberties with
the intimate details of how things happen on the server. I hope that the
purists will forgive this bit of poetic and tutorial license. Hopefully, it
should allow Torsten to get going along the right track, instead of pursuing
mirages.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org


FORM-based is not possible because of the legacy client, which only supports
BASIC-auth.
You are right, it's a problem all servers... imho it's a problem of that old
standard from the 90th, because there was no real logic on client side:
Let's have a look at the informations:
1) 401 -> Unauthorized
2) WWW-Authenticate: BASIC realm="xyz" --> Method

But that should be only interpreted as: "please send your username/password
as 'BASIC 4324CAF323=='" and NOT as "show an ugly dialog". There is no
chance to use auth with 'BASIC ...' but with an custom dialog.

That the clients can send their credentials in a BASIC compatible style is a
hard requirement. Because just one auth-method is allows for an application
in an web.xml and that must be BASIC because of the legacy client. ... but
that client doesn't matter if there is a BASIC challenge send by the server.
;-)

All solutions on application level (client or server side) will not work,
because 401-response and the processing which is leading on the client side
are handled by container and browser without a chance to modify anything by
custom code. The only way is to remove security constraints and to handle it
in my own code but without authentication capabilities from container level
except I use request.login (Servlet 3.0 API) which delegates up to
container-level from application code.
BUT I use the equinoxbridge.jar to forward all requests from the outer
container to an inner OSGi-based cxf server, and it seems that this bridge
makes everything more complicated... that .login() didn't work for me, I
think doesn't reach the outer container. :-/

If I had an normal jersey application, I could use a ContainerResponseFilter
to modify 401-errors, but that doesn't work with that equinoxbrigde because
it's a normal servlet without support for such filters... and the inner
application after that bridge is not reached if credentials are wrong.

I still thought "removing that BASIC in the WWW-authenticate header will be
a best fitting solution" ... that seems to be best practice
(https://github.com/gbif/registry/blob/master/registry-ws/src/main/java/org/gbif/registry/ws/filter/AuthResponseCodeOverwriteFilter.java)
and in the standard: challenged auth-method in the response must not be the
same as send before by the client.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Torsten Rieger
2015-10-30 22:45:25 UTC
Permalink
This post might be inappropriate. Click to display it.
chris derham
2015-10-31 00:39:05 UTC
Permalink
Post by Torsten Rieger
I want to say thank you all for your help and many different ways to solve
my problem. I think the most -maybe all- will work in an ideal world without
hard requirements through legacy client-applications. I don't want to hold
on BASIC as auth-method because I like it so much, I prefer to kick that
legacy application. ^^
Torsten,

If you have fixed it, then perhaps I should stop trying to help you.
However I reviewed the previous posts, and think that there was a key
aspect that I didn't mention before. So for the benefit of the email
archive, I'll give it another go.

Setup you landing/index page to be public, i.e. no authentication. The
AngularJS html/js/css/pngs all load freely. I assume that this isn't
too much of an issue, e.g.you want to prevent people accessing the app
unless they have logged in. Then make all RestAPI calls to a
sub-directory called say /api/. Add security restrictions to this
sub-directory. As the app starts up, any call to any rest api will
return a 401. As all calls are ajax, no browser login popup. The
global AngularJS ajax error handler I posted previously captures the
response. So when the server detects no (or expired) session, it
returns a 401, & AngularJS global error handler detects this &
redirects to login page. Login page captures credentials, posts to
login api (which obviously needs to be not protected as well), and
then upon success, sends a cookie (or auth token of some sort). Then
AngularJS can send this cookie (or auth token) in each subsequent
RestApi call, e voila.

I just tested the app I am developing that does this, in Edge, IE,
Chrome & Firefox. All working perfectly. No "ugly" login dialog in
sight. The key point I neglected to mention in my earlier post is that
you need to make sure that the host page is not behind the security.
If you are unwilling to do this, then they will have login before
accessing the app. In which case you can't really do anything about
it.

HTH

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
t***@promatis.de
2015-10-31 05:32:39 UTC
Permalink
This post might be inappropriate. Click to display it.
chris derham
2015-10-28 15:55:46 UTC
Permalink
Post by Torsten Rieger
No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ....."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.
Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/
-torsten
Torsten,

Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.

There are loads of examples on how to do this on the internet. This
isn't tomcat specific.

function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
case 401:
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
default:
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];

then in request config,

$httpProvider.interceptors.push(globalInterceptorResponse);


Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
André Warnier (tomcat)
2015-10-28 16:50:57 UTC
Permalink
Post by Christopher Schultz
Post by Torsten Rieger
No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ....."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.
Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/
-torsten
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
Chris
What is maybe not totally clear for the OP above, is that the above is done at the level
of the client (browser). Not at the tomcat level.

(Which is maybe also why Torsten did not find anything when he previously searched the web
: he was searching with the wrong keywords).



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2015-10-28 19:24:30 UTC
Permalink
Chris,
Post by Christopher Schultz
Post by Torsten Rieger
No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ....."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.
Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/
-torsten
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization, then
the original Filter would have worked.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
chris derham
2015-10-29 09:12:54 UTC
Permalink
Post by Christopher Schultz
Post by Christopher Schultz
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization, then
the original Filter would have worked.
-chris
Chris,

I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
André Warnier (tomcat)
2015-10-29 13:03:21 UTC
Permalink
Post by Christopher Schultz
Post by Christopher Schultz
Post by Christopher Schultz
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization, then
the original Filter would have worked.
-chris
Chris,
I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.
Hi.

I will not dispute the fact that this solution works for you, and that it could also work
for Torsten. And I must say that it looks elegant, from a javascript point of view.

I will just submit a personal opinion, based on long experience, that says that any
solution (for this kind of interacting-with-servers issue) which is browser-based, is
always more fragile and inherently more unstable, than a solution based on normal HTTP
interactions and implemented at the server side. (*)
There are always little differences among browsers and browser versions, as to how they
handle javascript code. And there are many things that a user can do with his browser,
that can interfere with such things.
And problems on that side will always be very time-consuming to identify and debug.
A server-side, protocol-compliant solution on the other hand, will work with any
HTTP-compliant browser (which does not necessarily include all versions of Internet
Explorer), and be a lot easier to maintain.

End of opinion.

(*) with an exception for all the marvelous things which you can do with tools like
jQuery, when used judiciously at the level of the browser-side presentation and user
interaction.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2015-10-29 14:01:56 UTC
Permalink
Chris,
Post by Christopher Schultz
Post by Christopher Schultz
Post by Christopher Schultz
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization, then
the original Filter would have worked.
-chris
Chris,
I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.
Yes, I was missing the fact that parts (or all?) of AngularJS run on the
client. Thanks for clarifying that bit.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Torsten Rieger
2015-10-30 21:34:56 UTC
Permalink
I tried this already...

$httpProvider.interceptors.push(function () {
return {
'responseError': function (rejection) {
var s = rejection.status;
return rejection;
}
};
});

But the repsonseError function is called after successful login or cancel of
the login-dialog... so that does not work if the server sends a
WWW-Authenticate: BASIC.... challenge to the browser. :-/

-----Ursprüngliche Nachricht-----
Von: Christopher Schultz [mailto:***@christopherschultz.net]
Gesendet: Donnerstag, 29. Oktober 2015 15:02
An: Tomcat Users List <***@tomcat.apache.org>
Betreff: Re: AW: Suppress or replace WWW-Authorization header

Chris,
Post by Christopher Schultz
Post by Christopher Schultz
Post by Christopher Schultz
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever
you want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make
all other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) { ...
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization,
then the original Filter would have worked.
-chris
Chris,
I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.
Yes, I was missing the fact that parts (or all?) of AngularJS run on the
client. Thanks for clarifying that bit.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2015-10-28 18:52:15 UTC
Permalink
Torsten,
Post by Torsten Rieger
-----Ursprüngliche Nachricht-----
Gesendet: Mittwoch, 28. Oktober 2015 15:39
Betreff: Re: AW: Suppress or replace WWW-Authorization header
Torsten,
Post by Torsten Rieger
I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).
The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find
a solution for the deployment on tomcat servers.
Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.
So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.
So you just want to disable HTTP BASIC authentication? Why not just remove
the <auth-method> from web.xml and disable authentication entirely?
Are you saying that when you connect using a REST client, the client shows a
login dialog in a web browser? That sounds ... weird. The REST client should
see the WWW-Authenticate header and either (a) fail or (b) re-try with
credentials you have provided to it.
-chris
---------------------------------------------------------------------
No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.
When I remove the (a) <login-config> or (b) <auth-method> sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ....."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.
Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/
How does your application know when the WWW-Authenticate header is okay
to remove from the response?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Loading...