ca-2bq
Last Updated: February 25, 2016
·
1.42K
· orby
Orby normal

Modify the WWW-Authenticate response header in Apache

If you create a REST API using Basic authentication, you don't want the browser to display the Basic authentication pop-up if the user typed the wrong username/password in your frontend making the AJAX call to the backend "fail".

If you access your REST API without any credentials (or wrong ones), the server will respond with a 401 status code and a WWW-Authenticate header like this:

curl -I http://localhost/host/events

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="SendRegning"
(...)

If your backend serves this, some browsers (MSIE and Chrome) will show a pop-up like this:

Picture

You don't want that, so what to do?

We ended up tweaking Apache, using the Header directive:

Header always edit WWW-Authenticate ^Basic SR_Basic

This means: edit the value of the response header WWW-Authenticate (if exists), and if it starts with Basic, change Basic to SR_Basic.

If you want to have a fallback solution, you could look for a specific User-Agent, like this:

BrowserMatch SendRegning/1.0 keep_auth

and add a condition to the previous directive:

Header always edit WWW-Authenticate ^Basic SR_Basic env=!keep_auth

This means if you "identify" your browser like this:

curl -I -A "SendRegning/1.0"  http://localhost/host/events

you will get the standard, not changed WWW-Authenticate header again.


Requirements

You need to load the headers_module for this to work and you and need at least Apache 2.2.4.

BrowserMatch needs the setenvif_module to be loaded.


Disclaimer

We don't use SSL in our development environment, so make sure to encrypt all traffic when doing Basic authentication in the wild.

Say Thanks
Respond
Filed Under