Forum Discussion

MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
Apr 06, 2016

How can we block the Basic Authentication Page?

HTTP/1.1 401 Unauthorized Date: Tue, XX Mar XXXX 14:42:11 GMT Www-authenticate: Basic realm="Oracle iPlanet Web Server" Content-length: 223 Content-type: text/html Connection: close

 

Unauthorized

 

Unauthorized Proper authorization is required for this area. Either your browser does not perform authorization, or your authorization has failed. ”

 

3 Replies

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Can you give some more info on your situation? Sorry, I don't understand exactly what you are asking.
  • If you are using ASM you can remove 401 status code from Allowed Response Status Codes in the Policy Properties (advanced options).

     

    By doing this if you are in blocking mode and your blocking settings block is selected for Illegal HTTP status in response, ASM will send a blocking page to the client which is an HTTP 200 OK.

     

    Does this help?

     

  • Hi,

     

    what do you need exactly?

     

    if the server request authentication, you won't be able to browse it before being authenticated.

     

    do you want to deny access to password protected ressources on the web site?

     

    You can block 401 response code and replace it by a "access denied" with 403 response code in a irule or with ASM

     

    Do not forget to remove Authorization header in request to prevent user to insert it even if the server never sent 401 request.

     

    when HTTP_REQUEST {
        HTTP::header remove Authorization
    }
    
    when HTTP_RESPONSE {
      if { [HTTP::status] eq "401" } { 
        HTTP::respond 403 content {
                
                   Denied
                   Page Denied
                
             } noserver "Connection" "Close"
          return
      }
    }