I want to access a full rest service with basic http auth running. However there is no way to for the javascript browser client to suppress the authenticate box when a wrong credential is provided.
I thought about different methods to solve this problem
- someone suggested to remove the WWW-Authenticate Header with a filter (i dont think this is a clean approach)
- i could rewrite my app to not use Basic Http Auth at all (i think this is too much trouble)
- i could write a proxy that talks to my regular service
I like the last approach the best. I keep my regular Rest Interface, but also have the option to use this interface with clients that are not that flexible. Furthermore I can later proxy Http Requests unsupported by some browsers.
The idea is to have a /api/proxy/{request} path that proxies to /api/{request} and returns a Facebook-Graph-like JSON query { data: {data}, error: {error}}
This is the stub of the Proxy class
@Path("proxy")
public class ProxyResource {
@GET()
@Path("{url: [a-zA-Z/]*}")
public String get(@Context Request request, @PathParam("url") String url) {
// remove proxy/ from path
// resend request
// verify result
}
} I can access the Request (which seems to be a ContainerRequest). How can I modify the request without building it from scratch to resend it.
Edit: when somebody knows a better approach i am delighted to hear about it.
As I started to digg deeper into this, i found out that not the 401 was the problem. The www-authenticate header sent back from the server caused the browser to open the login box.
If somebody is interested I've written a little nodejs proxy to remove a www-authenticate from all server requests.
https://gist.github.com/ebb9a5052575b0a3f41f
As this is not the answer to my original question I will leave it open.