Closed edevosc2c closed 1 month ago
I couldn't find a relationship between the georchestra.gateway.security.header-authentication.enabled
configuration and the reported defect.
With 1.0.0
, the defect is visible regardless of the mentioned configuration setting.
I've created the following pull requests that as far as I can tell fixes it for good:
Looking forward to your comments.
On
?login
, for example for/geonetwork/?login
, gateway does not redirect the same way between when header-authentication (sec-*) is enabled and is not enabled.It seems like when header-authentication (sec-*) is enabled, gateway will redirect to /login only if it finds
text/html
in theAccept
header. If it doesn't, it will try to force basic auth to the client.Example on INRAE with header-authentication (sec-*) is enabled
With no Accept header
With "text/html" in the Accept header
Example on MEL with header-authentication (sec-*) is not enabled
With no Accept header
With "text/html" in the Accept header
Due to this redirection behavior, this breaks geonetwork metadata visualization page. The user receives an authentication popup dialog and has to decline it in order to have the page fully loaded.