Forum Discussion
Erich_Rockman_1
Dec 11, 2015Cirrus
I have been trying to explain it, but maybe because I have been deep into this, I am not doing a great job of it. I'll try again.
It is a regular web server, 401, Authorization, WWW-Authenticate headers intact.
I am looking to check the user credentials (entered into the browser via 401 challenge) and check that value against a list. That works fine right now. However, I cannot get it to respect the server's response (WWW-Authenticate). I need to be able to continue to prompt the user for creds when they are not correct (as far as Basic Auth is concerned).
My problem is that the WWW-Authenticate comes back on the response side and I am checking the Authorization header on the request side.
- Kai_WilkeDec 11, 2015MVPIf the server is compliant, then it would send a 401 on each request which is not authenticated. This will repeat endless, since Basic authentication is per-request based and does not have a clue of previous requests. But the browser may supress further auth prompts from poping up after a couple of trys and display instead the content of the 401 response. If a user is already sucessfull authenticated but the page is not accesible (e.g. the specific user dont have permissions), then the server could either promt for additional credentials or display a 403 access denied message. But this is a vendor/product specific decission/setting. Which of the above scenarios is not working as desired? Cheers, Kai
- Erich_Rockman_1Dec 11, 2015CirrusThe server is sending a 401 response. However, how can I perform a check on a response code in a HTTP_REQUEST event. That would be the idea. If status eq 401, then don't perform by logic of checking the username against the list. However, I cannot see the 401 on the request side after entering user/pass into browser.
- Kai_WilkeDec 11, 2015MVPYou simply can't check the response code in the HTTP request stage, since you would need to look into the future to get those information. You could be creative and try to relate the last response with the next request. But this is strongly not recomended, since it would not comply with the per-request nature of HTTP in combination with Basic auth. All you should do is relate a HTTP request to the corresponding HTTP response. So you may store information in the request and based on that perform certain actions on the response. Cheers, Kai