> I want to say thank you all for your help and many different ways to solve > my problem. I think the most -maybe all- will work in an ideal world without > hard requirements through legacy client-applications. I don't want to hold > on BASIC as auth-method because I like it so much, I prefer to kick that > legacy application. ^^
Torsten, If you have fixed it, then perhaps I should stop trying to help you. However I reviewed the previous posts, and think that there was a key aspect that I didn't mention before. So for the benefit of the email archive, I'll give it another go. Setup you landing/index page to be public, i.e. no authentication. The AngularJS html/js/css/pngs all load freely. I assume that this isn't too much of an issue, e.g.you want to prevent people accessing the app unless they have logged in. Then make all RestAPI calls to a sub-directory called say /api/. Add security restrictions to this sub-directory. As the app starts up, any call to any rest api will return a 401. As all calls are ajax, no browser login popup. The global AngularJS ajax error handler I posted previously captures the response. So when the server detects no (or expired) session, it returns a 401, & AngularJS global error handler detects this & redirects to login page. Login page captures credentials, posts to login api (which obviously needs to be not protected as well), and then upon success, sends a cookie (or auth token of some sort). Then AngularJS can send this cookie (or auth token) in each subsequent RestApi call, e voila. I just tested the app I am developing that does this, in Edge, IE, Chrome & Firefox. All working perfectly. No "ugly" login dialog in sight. The key point I neglected to mention in my earlier post is that you need to make sure that the host page is not behind the security. If you are unwilling to do this, then they will have login before accessing the app. In which case you can't really do anything about it. HTH Chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org