If you create a REST API using
Basic authentication, you don't want the browser to display the Basic authentication pop-up if the user typed the wrong username/password in your frontend making the AJAX call to the backend "fail".
If you access your REST API without any credentials (or wrong ones), the server will respond with a
401 status code and a
WWW-Authenticate header like this:
curl -I http://localhost/host/events HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="SendRegning" (...)
If your backend serves this, some browsers (MSIE and Chrome) will show a pop-up like this:
You don't want that, so what to do?
We ended up tweaking Apache, using the Header directive:
Header always edit WWW-Authenticate ^Basic SR_Basic
This means: edit the value of the response header
WWW-Authenticate (if exists), and if it starts with Basic, change
If you want to have a fallback solution, you could look for a specific
User-Agent, like this:
BrowserMatch SendRegning/1.0 keep_auth
and add a condition to the previous directive:
Header always edit WWW-Authenticate ^Basic SR_Basic env=!keep_auth
This means if you "identify" your browser like this:
curl -I -A "SendRegning/1.0" http://localhost/host/events
you will get the standard, not changed
WWW-Authenticate header again.
You need to load the
headers_module for this to work and you and need at least Apache 2.2.4.
BrowserMatch needs the
setenvif_module to be loaded.
We don't use SSL in our development environment, so make sure to encrypt all traffic when doing Basic authentication in the wild.