Don't add WWW-Authenticate header to response on AuthenticationException

2016-02-25 11:03:04 -08:00 · 2016-02-25 11:03:04 -08:00 · d11cbab15c
parent 1ba0ae3960
commit d11cbab15c
2 changed files with 11 additions and 4 deletions
--- a/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/RestfulServer.java
+++ b/hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/RestfulServer.java
@ -649,10 +649,6 @@ public class RestfulServer extends HttpServlet implements IRestfulServer<Servlet
 				}
 			}

-			if (requestIsBrowser) {
-				// if request is coming from a browser, prompt the user to enter login credentials
-				theResponse.setHeader("WWW-Authenticate", "BASIC realm=\"FHIR\"");
-			}
 			writeExceptionToResponse(theResponse, e);

 		} catch (Throwable e) {
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@ -66,6 +66,17 @@
 				resource. This is being used as a part of the May 2016 Connectathon for
 				a testing scenario.
 			</action>
+			<action type="add">
+				The server no longer adds a 
+				<![CDATA[<code>WWW-Authenticate</code>]]>
+				header to the response if any resource provider code throws an
+				<![CDATA[<code>AuthenticationException</code>]]>. This header is 
+				used for interactive authentication, which isn't generally 
+				appropriate for FHIR. We added code to add this header a long time
+				ago for testing purposes and it never got removed. Please let us
+				know if you need the ability to add this header automatically. Thanks
+				to Lars Kristian Roland for pointing this out.
+			</action>
 		</release>
 		<release version="1.4" date="2016-02-04">
 			<action type="add">