I want to use an apache reverse proxy to do authentication with ldap/openid and use the Username Authorizer to control the access to the workers.
I successfully installed the reverse proxy and I can forward the identity of the users to signserver. However, if a user tries to sign with a worker he is not allowed to use, an authentication pop-up will appear and entering the username of someone allowed to use this worker will sign the file, instead of redirecting to a page reading "Authorization failed : Client is not authorized:".
How can I disable this pop-up and let my reverse proxy manage the authentication alone ?
Thanks a lot in advance.
Regards.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I suspect the issue could be that the UsernameAuthorizer will send an error 401/unauthorized and setting the WWW-Authenticate header causing the browser to displaye the login dialog instead of sending error 403/Forbidden.
I am not completely sure what would be the correct way. As it is now it is convenient if one enters the wrong username/password to be asked again instead of directly getting the failure. Maybe this should be changed.
As you have a proxy taking care of the authentication maybe you could unset the WWW-Authenticate HTTP header in the response and maybe that is enough for the browser to not display the login dialog?
Cheers,
Markus
PrimeKey
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I want to use an apache reverse proxy to do authentication with ldap/openid and use the Username Authorizer to control the access to the workers.
I successfully installed the reverse proxy and I can forward the identity of the users to signserver. However, if a user tries to sign with a worker he is not allowed to use, an authentication pop-up will appear and entering the username of someone allowed to use this worker will sign the file, instead of redirecting to a page reading "Authorization failed : Client is not authorized:".
How can I disable this pop-up and let my reverse proxy manage the authentication alone ?
Thanks a lot in advance.
Regards.
Hi Axel,
I suspect the issue could be that the UsernameAuthorizer will send an error 401/unauthorized and setting the WWW-Authenticate header causing the browser to displaye the login dialog instead of sending error 403/Forbidden.
I am not completely sure what would be the correct way. As it is now it is convenient if one enters the wrong username/password to be asked again instead of directly getting the failure. Maybe this should be changed.
As you have a proxy taking care of the authentication maybe you could unset the WWW-Authenticate HTTP header in the response and maybe that is enough for the browser to not display the login dialog?
Cheers,
Markus
PrimeKey
Hi Markus,
I'm sorry, the issue was on my side, my identity forwarding wasn't properly configured for openID.
Thanks for your help
Regards,
Axel