For a testing platform, we a have a typical basic authentication in front of our actual platform. The application server is a WildFly 14 with PrimeFaces as the frontend framework. In order for every JavaScript file not being downloaded separately, we also use the CombinedResourceHandler from OmniFaces.
However, on this beta platform we always got a 401 response for the request of the combined Javascript in Internet Explorer.
1 |
/javax.faces.resource/eNqNU...YFrkJkYw.js.jsf?ln=omnifaces.combined&v=1543504529329 |
Every other request was working fine.
After taking a look at the request headers, indeed the authorization header
1 |
Authorization: Basic a...Vj |
was missing.
The question was, why only for this request???
After taking a look at the source code, I noticed something strange i.e. crossorigin=“anonymous“.
1 2 |
<script type="text/javascript" src="/javax.faces.resource/eNq..._YFrkJkYw.js.jsf?ln=omnifaces.combined&v=1543504529329" crossorigin="anonymous"> |
This will lead to the browser not sending credentials for this request. Weirdly enough, this didn’t have any effect on the other browsers in combination with basic authentication.
But how can I get rid of this attribute? There seems to be no configuration option to remove this in OmniFaces directly. I took me quite some time to figure out a hack to remove this.
What I ended up doing, is to extend the CombinedResourceHandler and walk through the different UIComonents manually to remove the attribute.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
public class CustomCombinedResourceHandler extends CombinedResourceHandler { @SuppressWarnings("javadoc") public CustomCombinedResourceHandler(ResourceHandler wrapped) { super(wrapped); } @Override public void processEvent(SystemEvent event) { super.processEvent(event); FacesContext context = FacesContext.getCurrentInstance(); UIViewRoot view = context.getViewRoot(); Iterator it = view.getComponentResources(context, "head").iterator(); while (it.hasNext()) { UIComponent component = (UIComponent) it.next(); if ("javax.faces.resource.Script".equals(component.getRendererType())) { component.getPassThroughAttributes().remove("crossorigin"); } } } } |
Of course you then also have to register this new resource handler instead of the CombinedResourceHandler from Omnifaces in faces-config.xml:
1 2 3 4 5 6 7 8 9 |
<faces-config version="2.3" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_3.xsd"> <application> <resource-handler>com.illucit.listener.CustomCombinedResourceHandler</resource-handler> ... </application> </faces-config> |
Hope this article helps someone facing the same issues, that I did. Unfortunately, we cannot tell all customers to use a proper browser 🙂