so i have a webpage with a login section. Login is done with .htaccess and .htpasswd file. That works fine. Now i need to style or customize the "unauthorized" page that results after closing the authentification prompt.
Here is my problem: If I request the page, .htaccess kicks in and wants me to authenticate, resulting in a status code of 401. But if I close the promt, I get the "Unauthorized
This server could not verify that you are authorized..." response with an status code of also 401 back.
Question: Is there a way to differentiate the statuscode 401 of a page pre authentification and after closing the promtp?
You might want to look at the documentation for this.
perhaps also set the 401 document
ErrorDocument 401 "/login.shtml"
Related
I have some code that looks at "Basic Authorization" requests from many different sites.
I want to know if I can make the following assumptions:
A successful response (credentials are correct) will always have response code 200 OK
A failed response (incorrect credentials) will always have response code 401 Unauthorized
Are the above fair assumptions, or is the success/fail conditions configurable per site?
No, there are other possible response codes.
According to the official spec, there can also be the error code 407.
Also, on MDN:
If a (proxy) server receives invalid credentials, it should respond with a 401 Unauthorized or with a 407 Proxy Authentication Required, and the user may send a new request or replace the Authorization header field.
If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.
In all cases, the server may prefer returning a 404 Not Found status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated.
Besides that, I'm quite sure that an actual successful attempt will result in status code 200.
I have created an app (backend and frontend) that is mainly used on a Windows intranet. I'm using Kerberos authentication to do SSO so that anyone logged in to Windows domain is automatically authenticated to the server. To do this I set up Kerberos SPN for server and configured browsers etc and is all working fine in the normal scenario. My problem is that I need to continue if the user is not authenticated (ie connects from outside the Windows domain or does not have their browser configured correctly).
In summary there are two scenarios:
if authenticated OK continue with authorization granted for their ID [currently works]
if not authenticated continue with no (public) authorization [does not work]
In the first case the HTTP requests/responses are:
a. frontend: initial HTTP request
b. backend: no auth found so return 401 unauthorized with WWW-Authenticate:Negotiate header
c. frontend: re-sends request with Authorization header -> decoded to get the login ID
In the 2nd case:
a. frontend: initial HTTP request
b. backend: no auth found so return 401 with WWW-Authenticate:Negotiate (and error text in the body)
c. frontend: browser stops (displaying the body of the response as text to the user)
This is the crux of the problem I need to somehow avoid the browser just completely bombing (as at step c above).
Solutions I have tried:
display a message to the user about how to adjust browser settings to allow SSO to work in the body of the 401 response message. This is pretty ugly looking and does not work for connections from outisde the domain
Tried a 301 redirect in stead of 401 unauthorized response, but the browser does not like this.
Tried a redirect using javascript in the 401 response body, but it is not executed.
Have the backend send 401 but with WWW-Authenticate:Negotiate,Basic. But this display an unneeded login/password dialog and still fails if they don't login.
What I really need is an None option, ie: WWW-Authenticate:Negotiate,None then continue with no auth if the subsequent frontend request indicate "None" was used.
Of course, there isn't a "None" option. :(
It seems that this should be a fairly typical scenario but I have been researching this to no avail for 3 days now. Any advice would be greatly appreciated.
If the browser is connecting from outside the intranet then just continue. That is do not send the 401 response at all (no auth). You should be able to tell from the IP address where they connect from.
Another option is to redirect using JS in a page in the 401 body. As mentioned above I think you need to include Content-type: text/html or Content-type: text/javascript.
The response of Authentication grand code for the request which i pass is 200 Ok. But am getting an html response in that. i couldn't find any code. Can You please help me.?
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXfeeb89&redirect_uri=https://localhost:44330/callback
This is the request which i send. But not receiving the authentication code. But It shows 200 OK.
In the admin tool, check that your integration key is set to use Authorization Code grant, not Implicit grant.
Also check that you've authorized your exact callback URI for your integration key.
If you're not getting any errors from DocuSign, then authenticate yourself and the your browser will then be redirected to your redirect uri, in this case https://localhost:44330/callback
I have a problem with JMeter. When I try to send some request, it returns me a 403 Forbidden status code. I know that it needs an authentication, I've seen many things about that.
I'm working with Apache ActiveMQ Artemis. I need to execute some API request, which removes all messages in the queue. The API looks like that:
http://10.2.5.23:8161/console/jolokia/exec/org.apache.activemq.artemis:broker=%220.0.0.0%22,component=addresses,address=%22TEST.GSH%22,subcomponent=queues,routing-type=%22anycast%22,queue=%22TEST.GSH%22/removeAllMessages()
When I try to execute it, it returns me a 403 Forbidden status code. I've tried to add HTTP Authorization Manager, added this url and typed username and password, but still it gives me the same output.
This is from where I login, also I added this in HTTP Authorization Manager and set the username and password.
http://10.2.5.23:8161/console/login
Any idea or advice will help me.
I know that here are questions like mine, but I have not found what would help me.
The answer was quite simple. I've just added in HTTP Header Manager an authorization with Basic encoded. Now it works fine. But I have one question, why did HTTP Authorization Manager not work ? Why should i add authorization in header ? I can't make it only with HTTP Authorization Manager ?
I need to return error code 400, when user enter bad credintials for suppress browser's basic auth dialog
But i cannot change response code on server side.
I guess it is possible with some .htaccess rules, but google don't have a answer to my question, i just found solutions for 403 -> 404, but it don't work for me.
How can i do that?
You can send custom error responses but you cannot change the actual error code returned. That would be a very practice.
See https://httpd.apache.org/docs/2.4/custom-error.html
Btw, if you enter bad credentials, you will be taken to the 401 page. You'll only get the auth dialog again if you try to reload the page (or, try to load protected items from the 401 page itself, which of course creates an infinite loop and never allows you to escape the auth dialog).