Your go-to microservice framework for any situation, from the creator of Netty et al. You can build any type of microservice leveraging your favorite technologies, including gRPC, Thrift, Kotlin, Retrofit, Reactive Streams, Spring Boot and Dropwizard.
If basic access authentication is configured, many users usually expect to see a prompt to enter their ID and password by default. However, a prompt is shown only when a custom error response for WWW-Authenticate is explicitly defined.
AuthService
.builder()
.addBasicAuth(httpBasicAuthorizer)
.onFailure((delegate, ctx, req, cause) -> {
return HttpResponse.of(ResponseHeaders.builder(HttpStatus.UNAUTHORIZED)
.add(HttpHeaderNames.WWW_AUTHENTICATE,
"Basic realm=\"Accessing to the ...\"")
.build());
}).newDecorator());
I don't see this as a sensible default for basic auth, so I propose to return WWW-Authenticate: "Basic realm="Accessing to ..." header when only basic access authentication is configured to AuthService.
erie0210
commented
1 year ago
The original default
AuthFailureHandlerofAuthServicereturns 401 Unauthorized status without no additional headers. https://github.com/line/armeria/blob/5abd98ae5c1cb747b1c754f44f840a2756fe6c3e/core/src/main/java/com/linecorp/armeria/server/auth/AuthServiceBuilder.java#L42-L47 As the default failed response does not includeWWW-Authenticate: "Basic realm="Accessing to ..."header, they only see 401 Unauthorized but no prompt for login.If basic access authentication is configured, many users usually expect to see a prompt to enter their ID and password by default. However, a prompt is shown only when a custom error response for
WWW-Authenticateis explicitly defined.I don't see this as a sensible default for basic auth, so I propose to return
WWW-Authenticate: "Basic realm="Accessing to ..."header when only basic access authentication is configured toAuthService.