Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unauthorized response with XMLHttpRequest header
See original GitHub issueI use Spring Boot with Spring Security basic authentication. When i send request with wrong password, i’ll receive normal error message in body:
{
"timestamp": "2018-01-15T11:59:31.837+0000",
"status": 401,
"error": "Unauthorized",
"message": "Bad credentials",
"path": "/karbonator/api/v1/wallet"
}
But when i add additional header X-Requested-With: XMLHttpRequest to the request, i’ll receive only status 401 and no body.
Code sample is here: https://github.com/rublin/XMLHttpRequest
Issue Analytics
- State:
- Created 6 years ago
- Comments:5 (4 by maintainers)
Top Results From Across the Web
401 Unauthorized - HTTP - MDN Web Docs
This status code is sent with an HTTP WWW-Authenticate response header that contains information on how the client can request for the resource ......
Read more >Spring boot unauthorized response with XMLHttpRequest
I have spring boot + spring security application and I discovered strange behavior. When I send request with wrong authorization (basic), ...
Read more >HTTP requests in JavaScript - 'Authorization has been denied ...
I installed server to my local server and I'm trying to get the list of questionnaires from server using javascript, but using the...
Read more >Handling a 401 error with XMLHttprequest (async)
I have a problem with using XMLHttprequest if the login and password are incorrect and I'm using the async option. After I do...
Read more >Web Api endpoints used in external javascript application ...
... application throw 401 error despite of passing credentials in header in JavaScript XmlHttpRequest ... Discussion posts and replies are publicly visible.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I think that Spring Security issue explains why its a 401 rather than a 302 to a login page. It doesn’t explain, to me anyway, why you get a 401 with a body in the first case and a 401 without a body in the second case.
I’ve dug into this a bit more.
Without the
X-Requested-With: XMLHttpRequestheader,DelegatingAuthenticationEntryPointdoesn’t find a matching entry point so it falls back to the default. This isBasicAuthenticationEntryPoint. It callssendErroron theHttpServletResponse. This then results in the response being forwarded to Boot’s custom error page that produces the expected JSON response body.When the
X-Requested-With: XMLHttpRequestheader is sent,DelegatingAuthenticationEntryPointfinds a matchingHttpStatusEntryPoint. It callsresponse.setStatusand, as it’s not considered to be an error, an empty 401 response is returned.This behaviour is out of Spring Boot’s control so I am going to close this in favour of the Spring Security issue.