AnsweredAssumed Answered

How to disable basic authentication for web scripts

Question asked by jduke on Jun 24, 2010
Latest reply on Jul 29, 2010 by rafaelscg
Hello everyone.

I am looking for a way to disable the basic authentication that happens automatically for web scripts when they require authentIication.

I am developing a custom web application which is backed by a number of web scripts which require an authenticated user. However, rather than relying on the browser-based basic auth mechanism, we prefer to rely on our own login form which delegates to an authentication web script which takes a username and password explicitly. This authentication web script then returns a ticket, and we are using the ticket for all subsequent interaction with other web scripts.

My problem is that when a web script is requested with an expired ticket, this leads to a 401 error and a basic authentication prompt in the user's browser. We don't want to use that prompt for authentication due to usability and other concerns; instead, we simply want to detect the 401 (or 403 maybe) indicating that the user is not authenticated, then redirect to a login page that can use our custom authentication web script, without the nasty browser-based basic authentication popping up.

I tried mucking around with some of the settings in webscript-framework-config.xml, such as adding <basic-auth>false</basic-auth> to the "alfresco" endpoint, but I had no success.

Does anyone know the right way to do this? Do I need to write my own authenticator class or something?

FYI, we are using Alfresco Enterprise

Update: The more I read about 401 errors, the more I am convinced that they always must include an authentication challenge of some kind; so perhaps what I really need is a way to simply always return a 403 error unless the user has provided a ticket. Perhaps I will need to override/extend/replace HTTPRequestAuthenticationFilter with my own implementation that doesn't bother looking for an auth header, and that returns 403 instead of 401…?


Jason Duke
Blue Fish Development Group