Option to return HTTP 401/403 instead of HTTP 303 (for XHR requests only)

Question

Option to return HTTP 401/403 instead of HTTP 303 (for XHR requests only)

Closed this issue 10 years ago · 3 comments

Folks,

Sometimes a session gets expired and any XHR request results in a silent redirect returning IDP login page HTML code (a bit unexpected behavior, requires special handling on client-side).

Would it make sense to return HTTP 401 or 403 in case a request headers contain
X-Requested-With: XMLHttpRequest
and the session is over? (configurable option)

Relevant links:
https://issues.jboss.org/browse/PLINK-273
http://stackoverflow.com/questions/7042865/what-is-the-common-http-header-for-request-by-js-libs

What are your thoughts?

Thanks.

Answer 1 · 2014-09-16T14:48:53.000Z

Probably, to do such things in more generic and flexible way you can introduce MellonNoRedirectCondition option[s].

If user not logged in by default return redirect 303. If MellonNoRedirectCondition is set, use this condition and return 401 if true (just not authorized)

...
MellonNoRedirectCondition IM_ROBOT # if header IM_ROBOT return 401 for not logged users OR...
MellonNoRedirectCondition SomeHeader somevalue # if header SomeHeader == somevalue return 401 for not logged users

Answer 2 · 2014-09-18T08:28:48.000Z

I would rather not introduce a complicated condition-system for dealing with AJAX-calls. Wouldn't marking the endpoints with MellonEnable info work? E.g.:

<Location />
  # Standard mod_auth_mellon config
  MellonEnable "auth"
  # [...]
</Location>

<Location /api>
  # API endpoints are under this location. Don't try to trigger authentication here.
  MellonEnable "info"
  require valid-user
</Location>

Answer 3 · 2015-04-17T08:39:00.000Z

I haven't heard back here, so I am going to assume that my suggestion works. Closing this issue.