Forum Discussion
Erich_Rockman_1
Cirrus
It's not an error. I am returning the Access is Denied to the client in an HTTP::respond. The Authorization header is sent with the request and the WWW-Authenticate header is sent in the response. I am not looking to overwrite/replace the server response, I am looking to check that the user that is successfully authenticated by the server matches a username in a list that I provide. It seems like I cannot do both.
Kai_Wilke
Dec 11, 2015MVP
Hi Erich,
I dont understand why you want the validity check happen "after" the user has already logged in to your server?
In my opinion, its far more effective to check already on HTTP_REQUEST if the username is whitelisted and depending on your desired action to "ask for credentials" or simply send a "access denied message" if an unknown or no username was submitted.
In addition a HTTP_RESPONSE filter could be implemented to check if the authentication was denied for the already whitelisted username. The check could then supress/change/manipulate the response if needed to either become a "ask again for credentials" (aka. 401) or "access denied message" (aka. 403) response.
Please describe your needs and the intention behind as best as possible. It will allow us to help you without assuming things.
Thanks!
Cheers, Kai