Monday, November 15, 2010

Avoiding browser popup for 401

If you are writing a web application that consumes RESTful web services which enforce HTTP basic authentication, you may face a problem where the browser may pop up a dialog box on the authentication failure (HTTP status: 401) before even your error handler code is called. This happens especially when the web application does not have any controller on the server side. For example, an application written using a client-side JavaScript framework such as Ext-JS.

The browser's HTTP user-agent obviously follows the HTTP protocol which says the following for 401.
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

14.47 WWW-Authenticate

The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.

where the contents of a challenge may itself contain a comma-separated list of authentication parameters. The authentication parameter realm is defined for all authentication schemes:

With some trial and error, we found that the pop up is triggered not due to the presence of 401 but due to the presence of the challenge.

So, as a web service developer, if you want to help service consumers disable the pop up and still send 401, you could use a trick. Replace Basic with your own scheme, e.g. xBasic as shown below.

To do this with Spring Security, you would want to override the commence method of the default

Write your own entry point, e.g. MyBasicAuthenticationEntryPoint as shown below.

Then plugin your entry point into the basic authentication filter as follows:

Thanks to Venkat Mantirraju in helping figure this out.


  1. This comment has been removed by the author.

  2. Note that if using security:http-basic you do not need to define basicAuthenticationFilter but should define it as

    security:http-basic entry-point-ref="myBasicAuthenticationEntryPoint"

    Sorry about no tags but I can't get formatting to work, code blocks aren't allowed.

    1. Very helpful addition to this helpful post!

    2. Really Very Nice Addition for this post. +1 from my side as well.
      Request for blog owner to update the configuration please?

  3. Nice, but it doesnt seem to work for FF.

  4. your blog is trust worthy

  5. I am on the other side ,For CORS request I want to show the native browser pop up for basic auth, But I am not able to.

    I am setting all CORS and basic auth header correctly, even responding with 401, but browser is not showing the pop up

  6. love this type posts keep this type of posts. lovely work keep this work up.

    Laptop on rent in noida
    lcd led repairing institute in laxmi nagar

  7. Би тийм сайн өгүүллийг уншихаасаа хойш удаан хугацаа өнгөрч байна. Баярлалаа

    may ngam chan

    máy ngâm chân giải độc

    bồn massage chân

    máy ngâm chân

  8. Angst verschwendet nur Zeit,( máy khuếch tán tinh dầu )sie ändert nichts,máy khuếch tán tinh dầu refeshener zusätzlich nimmt sie die( máy khuếch tán tinh dầu hà nội ) Freude und macht Sie immer( máy phun sương tinh dầu )beschäftigt, ohne etwas zu erreichen.

  9. Remote Monitoring and Control system
    SCADA Base Remote Monitoring
    Greetings! Very helpful advice within this post! It is the little changes that produce the most important changes. Thanks a lot for sharing!`

  10. Es fácil ganarse una confianza que( tam san be tong sieu nhe ) es fácil de destruir, es ( Sàn panel Đức Lâm ) importante no engañar a los grandes( nhà thép dân dụng ) o pequeños,( xây nhà bằng bê tông siêu nhẹ ) pero el engaño ha sido el problema

  11. This comment has been removed by the author.

  12. Thanks for sharing your post. If anyone needs audit for smart contract contact us.

  13. Van bướm gang đĩa inox tay quay là thiết bị, được sử dụng sử dụng để đóng mở hoặc điều tiết dòng chảy trong hệ thống đường ống, có đường kính lớn. Loại van này, tương tự như một van bi. Đĩa van được đặt chính giữa đường ống. Đĩa kết nối với thiết bị truyền động bên ngoài ( tay quay ) thông qua một thanh trục bằng kim loại. Khi xoay vô lăng ( tay quay ) thì đĩa van vận động tuy vậy song hoặc vuông góc với dòng chảy tương ứng với việc đóng mở đường ống.

  14. Love your content and love....thanks a lots
    hiring SEO

  15. Bài viết rất hay, cảm ơn tác giả đã chia sẻ những bổ ích, tôi cảm thấy rát phù hợp
    5 lý do nên dùng táp đầu giường tân cổ điển

  16. This comment has been removed by the author.

  17. Sumadhura Folium is a new apartment project launched by Sumadhura Properties Pvt. Ltd. There are 2 & 3 BHK plots for sale in Whitefield, Bengaluru. People are grabbing their dream homes from Sumadhura Folium because of the Pre Launch Offers and the trust on the Sumadhura developer and Builders. website;

  18. This is really interesting, You’re a very skilled blogger.
    AC Repairing Course


  19. Thank you sharing the informative article . This is useful article for us.

  20. I am so grateful to Thanks for sharing this submission site list.
    Buy Cactuses And Succulents Plants Online India

  21. love this type posts keep this type of posts. lovely work keep this work up. Air Conditioning Repair Service

  22. Thanks for sharing such a great blog Keep posting.
    link text

    Laptop on rent in delhi

  23. Love this type posts keep this type of posts. lovely work keep this work up.

    Desktop or Computer on Rent in Delhi

  24. Thank you for sharing useful information with us. please keep sharing like this.

    Career Counselling for Students in Noida

  25. uhm
    ForLike – Cung cấp dịch vụ seeding facebook tốt nhất và rẻ nhất thị trường, giải pháp tăng Like, Share, Comment, Follow, Reactions

    Địa chỉ: Times City T10, Minh Khai, Vĩnh Phú, Hai Bà Trưng, Hà Nội


    Điện thoại: 0969 56 57 44

  26. This comment has been removed by the author.