Skip to content
This repository has been archived by the owner on Mar 8, 2021. It is now read-only.

Make use of :unauthenticated-handler in the http-basic workflow. #79

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make use of :unauthenticated-handler in the http-basic workflow. #79

wants to merge 1 commit into from

Conversation

damionjunk
Copy link

Setting the :unauthenticated-handler had no effect previously when using the http-basic workflow. If not set, the call to http-basic-deny still takes place as it did before.

@damionjunk
Make use of :unauthenticated-handler in the http-basic workflow.
8282478 
Setting the `:unauthenticated-handler` had no effect previously. If not set, the call to `http-basic-deny` still takes place as it did before.
@cemerick
Copy link
Owner

Lack of support for :unauthenticated-handler there was originally intentional; once it's clear that the client has sent HTTP Basic credentials, the range of responses is constrained pretty significantly by the relevant spec.

What are you hoping to do in this handler that will be applied to failing HTTP Basic authentication attempts?

@damionjunk
Copy link
Author

I thought it may be intentional, but I noticed in the tests and examples for http-basic that you've provided the handler in the configuration anyway.

I just wanted to provide a custom message in the body rather than rely on what was returned by the container.

I get something like this (which likely varies by container and container config):

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Somerealm"
Content-Type: text/html;charset=utf-8
Content-Length: 1044
Date: Sun, 27 Oct 2013 23:59:19 GMT

<html><head><title>JBoss Web/7.2.0.Final - JBWEB000064: Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>JBWEB000065: HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>JBWEB000309: type</b> JBWEB000067: Status report</p><p><b>JBWEB000068: message</b> <u></u></p><p><b>JBWEB000069: description</b> <u>JBWEB000121: This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.2.0.Final</h3></body></html>

I'm using HTTP basic for JSON/REST API authentication, so I'd rather be able to return either a known string, or some JSON body along with the 401.

@cemerick
Copy link
Owner

Okay, that's fair. A couple of things need to happen, though:

  1. The realm needs to be assoc'd into the request upon auth failure so that :unauthenticated-handlers can emit the appropriate WWW-Authenticate header corresponding to the params to the http-basic workflow fn.
  2. http-basic-deny needs to be changed to pull the realm from the request to match, not have it partial'd in, etc.

@cemerick
Copy link
Owner

cemerick commented Feb 5, 2014

I'm happy to have this feature added in, but the current patch needs a couple of tweaks (described above). Bump, etc.

@damionjunk
Copy link
Author

Sorry about the delay in response. I recently relocated to a different city, so things have been chaotic. :) I do intend to get to this shortly though.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@damionjunk @cemerick