Last Updated: October 12, 2017
·
5.107K
· orby

Modify the WWW-Authenticate response header in Apache

If you create a REST API using Basic authentication, you don't want the browser to display the Basic authentication pop-up if the user typed the wrong username/password in your frontend making the AJAX call to the backend "fail".

If you access your REST API without any credentials (or wrong ones), the server will respond with a 401 status code and a WWW-Authenticate header like this:

curl -I http://localhost/host/events

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="SendRegning"
(...)

If your backend serves this, some browsers (MSIE and Chrome) will show a pop-up like this:

Picture

You don't want that, so what to do?

We ended up tweaking Apache, using the Header directive:

Header always edit WWW-Authenticate ^Basic SR_Basic

This means: edit the value of the response header WWW-Authenticate (if exists), and if it starts with Basic, change Basic to SR_Basic.

If you want to have a fallback solution, you could look for a specific User-Agent, like this:

BrowserMatch SendRegning/1.0 keep_auth

and add a condition to the previous directive:

Header always edit WWW-Authenticate ^Basic SR_Basic env=!keep_auth

This means if you "identify" your browser like this:

curl -I -A "SendRegning/1.0"  http://localhost/host/events

you will get the standard, not changed WWW-Authenticate header again.


Requirements

You need to load the headers_module for this to work and you and need at least Apache 2.2.4.

BrowserMatch needs the setenvif_module to be loaded.


Disclaimer

We don't use SSL in our development environment, so make sure to encrypt all traffic when doing Basic authentication in the wild.