I have a web site that I am using Apache for authentication (using basic auth for testing). It works just fine on all browsers. Now, I am trying to add the API that the web site uses to the authentication realm (using the same AuthName), and noticing the following behaviors:
On Safari it authenticates twice, once when going to the web site, and then again when it makes the API call. (I would prefer only to have to authenticate the first time.)
On both Chrome and Firefox it authenticates when I first go to the web site, but then it returns a 401 error when the web site makes the API call.
These are all on the same domain/port, so I do not see this being a CORS issue (especially since this works when I remove the authentication requirement for the API, which is then not locked down and hence, not desirable). I do have the same AuthName, FWIW, but that seems to have no effect.
My API config in httpd.conf is:
WSGIDaemonProcess rest_api user=gms threads=5
WSGIScriptAlias /api /var/www/extjs/rest_api/rest_api.wsgi
<Location /api>
Options +FollowSymLinks +Multiviews +Indexes
AllowOverride None
Order allow,deny
Deny from all
AuthType basic
Satisfy Any
AuthName "PrivateRepository"
AuthUserFile /var/www/extjs/.htpasswd
Require valid-user
</Location>
While the web site's is:
<VirtualHost *:80>
ServerName cardiocatalogqt
Alias /cardiocatalogqt /var/www/extjs/cardiocatalogqt
<Location /cardiocatalogqt>
Options +FollowSymLinks +Multiviews +Indexes
AllowOverride None
Order allow,deny
Deny from all
AuthType basic
Satisfy Any
AuthName "PrivateRepository"
AuthUserFile /var/www/extjs/.htpasswd
Require valid-user
</Location>
</VirtualHost>
You'll need to rearrange the URL's so they have a common prefix if you want browsers to pre-emptively send basic auth credentials.