Monday, November 15, 2010

Avoiding browser popup for 401

If you are writing a web application that consumes RESTful web services which enforce HTTP basic authentication, you may face a problem where the browser may pop up a dialog box on the authentication failure (HTTP status: 401) before even your error handler code is called. This happens especially when the web application does not have any controller on the server side. For example, an application written using a client-side JavaScript framework such as Ext-JS.

The browser's HTTP user-agent obviously follows the HTTP protocol which says the following for 401.
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

14.47 WWW-Authenticate

The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.

where the contents of a challenge may itself contain a comma-separated list of authentication parameters. The authentication parameter realm is defined for all authentication schemes:

With some trial and error, we found that the pop up is triggered not due to the presence of 401 but due to the presence of the challenge.

So, as a web service developer, if you want to help service consumers disable the pop up and still send 401, you could use a trick. Replace Basic with your own scheme, e.g. xBasic as shown below.

To do this with Spring Security, you would want to override the commence method of the default

Write your own entry point, e.g. MyBasicAuthenticationEntryPoint as shown below.

Then plugin your entry point into the basic authentication filter as follows:

Thanks to Venkat Mantirraju in helping figure this out.


  1. This comment has been removed by the author.

  2. Note that if using security:http-basic you do not need to define basicAuthenticationFilter but should define it as

    security:http-basic entry-point-ref="myBasicAuthenticationEntryPoint"

    Sorry about no tags but I can't get formatting to work, code blocks aren't allowed.

    1. Very helpful addition to this helpful post!

    2. Really Very Nice Addition for this post. +1 from my side as well.
      Request for blog owner to update the configuration please?

  3. Nice, but it doesnt seem to work for FF.

  4. your blog is trust worthy

  5. I am on the other side ,For CORS request I want to show the native browser pop up for basic auth, But I am not able to.

    I am setting all CORS and basic auth header correctly, even responding with 401, but browser is not showing the pop up

  6. love this type posts keep this type of posts. lovely work keep this work up.

    Laptop on rent in noida
    lcd led repairing institute in laxmi nagar

  7. Би тийм сайн өгүүллийг уншихаасаа хойш удаан хугацаа өнгөрч байна. Баярлалаа

    may ngam chan

    máy ngâm chân giải độc

    bồn massage chân

    máy ngâm chân

  8. Angst verschwendet nur Zeit,( máy khuếch tán tinh dầu )sie ändert nichts,máy khuếch tán tinh dầu refeshener zusätzlich nimmt sie die( máy khuếch tán tinh dầu hà nội ) Freude und macht Sie immer( máy phun sương tinh dầu )beschäftigt, ohne etwas zu erreichen.

  9. Nội Thất Trẻ Em Bảo An Kids là doanh nghiệp chuyên thiết kế và thi công các sản phẩm nội thất trẻ em bao gồm: Phòng ngủ trẻ em, Giường tầng, bàn học đẹp, kệ sách, bàn học bé trai, làm mới không gian phòng ngủ với giường tầng thông minh cho trẻ, tủ treo quần áo…

  10. Remote Monitoring and Control system
    SCADA Base Remote Monitoring
    Greetings! Very helpful advice within this post! It is the little changes that produce the most important changes. Thanks a lot for sharing!`

  11. Tökezlediğiniz ve ayağa kalkıp(  taxi Nội Bài ) devam edemediğiniz gibi görünen zamanlar vardır, lütfen bazen zorlukların üstesinden gelmenize yardımcı olacak, yaşamınızla( Đặt taxi nội bài chưa bao giờ dễ dàng đến thế ) ilgili iyi sözleri deneyin. Ve devam( Hé lộ dịch vụ taxi Nội Bài giá rẻ ) et. Aşağıdaki makale, yaşam hakkında 100'den fazla güzel kelime size tanıtır.

  12. Es fácil ganarse una confianza que( tam san be tong sieu nhe ) es fácil de destruir, es ( Sàn panel Đức Lâm ) importante no engañar a los grandes( nhà thép dân dụng ) o pequeños,( xây nhà bằng bê tông siêu nhẹ ) pero el engaño ha sido el problema