Hello everyone.
I am looking for a way to disable the basic authentication that happens automatically for web scripts when they require authentIication.
I am developing a custom web application which is backed by a number of web scripts which require an authenticated user. However, rather than relying on the browser-based basic auth mechanism, we prefer to rely on our own login form which delegates to an authentication web script which takes a username and password explicitly. This authentication web script then returns a ticket, and we are using the ticket for all subsequent interaction with other web scripts.
My problem is that when a web script is requested with an expired ticket, this leads to a 401 error and a basic authentication prompt in the user's browser. We don't want to use that prompt for authentication due to usability and other concerns; instead, we simply want to detect the 401 (or 403 maybe) indicating that the user is not authenticated, then redirect to a login page that can use our custom authentication web script, without the nasty browser-based basic authentication popping up.
I tried mucking around with some of the settings in webscript-framework-config.xml, such as adding <basic-auth>false</basic-auth> to the "alfresco" endpoint, but I had no success.
Does anyone know the right way to do this? Do I need to write my own authenticator class or something?
FYI, we are using Alfresco Enterprise 3.2.1.2.
Update: The more I read about 401 errors, the more I am convinced that they always must include an authentication challenge of some kind; so perhaps what I really need is a way to simply always return a 403 error unless the user has provided a ticket. Perhaps I will need to override/extend/replace HTTPRequestAuthenticationFilter with my own implementation that doesn't bother looking for an auth header, and that returns 403 instead of 401…?
Thanks.
-Jason
Jason Duke
Blue Fish Development Group
