Unwanted browser authentication dialog

[hsaladin]

In some cases, trying to access a controlled access resource triggers a native browser's authentication dialog, instead of being handled by the application.

This seems to only occur when the KTBS service hosting that resource has the same origin as the application (might be CORS related ?)

[hsaladin]

After deeper investigation, here is what happens :

• it turns out that when the HTTP server responds with a 401 status and a "WWW-Authenticate: Basic ..." response header, browsers will display the authentication dialog, and there is no way to prevent it from Javascript code.
  (https://stackoverflow.com/questions/86105/how-can-i-suppress-the-browsers-authentication-dialog)

• the only case when browsers don't show this dialog is when the request is cross-origin, in order to prevent password-stealing attacks. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication)
  This is why the problems only occurs when the Ktbs service has an origin different than ktbs4la2 application.

• the only clean way to fix this seems to be that the server should not add the "WWW-Authenticate" header to his response when the request is sent from a Javascript code. Also, in order to be distinguishable, such requests should have a "x-requested-with: XMLHttpRequest" header.

The client part of this (= add "x-requested-with: XMLHttpRequest" request header) is easy to implement, but I haven't been able to implement the server part (= remove "WWW-Authenticate" response header).
I tried to use apache's mod_header like so :

<IfModule mod_headers.c>
    <If "%{HTTP:x-requested-with} == 'XMLHttpRequest'">
        Header unset WWW-Authenticate
    </If>
</IfModule>

or with a different syntax, which should be more or less equivalent :

<IfModule mod_headers.c>
    Header unset WWW-Authenticate "expr=req('x-requested-with') == 'XMLHttpRequest' && resp('WWW-Authenticate') =~ /^Basic/"
</IfModule>

Neither of them works, apparently because mod_auth takes the precedence over mod_headers, and the directive above seems to be not evaluated when mod_auth asks for authentication.

In conclusion, I haven't been able to solve this problem with some apache tuning, as it lacks flexibility in it's authentication workflow.

[pchampin]

Have you tried the following rule?

<IfModule mod_headers.c>
    Header always unset WWW-Authenticate "expr=req('x-requested-with') == 'XMLHttpRequest' && resp('WWW-Authenticate') =~ /^Basic/"
</IfModule>

The difference is the keyword always after the Header directive; without it, the rule only applies to success (2xx) responses. That could explain why it does not work on 401 responses.

[hsaladin]

I did, and it doesn't work.

I also tried :

<IfModule mod_headers.c>
    Header always set Toto "test"
</IfModule>

=> header "Toto: test" is appended only after authentication, which confirms that during the authentication negotiation, mod_auth takes over mod_header and "Header" directives are not evaluated.

[pchampin]

Ok, so I agree with you: the only solution is to let kTBS manage its own authorization (authentication could still be managed by Apache, though).

This is bumps up the priority of ktbs/ktbs#81 ... :-/

[pchampin]

@hsaladin I believe this was since been fixed, right?